Snort: Don't Automatically Add Internal Subnets



  • Is there a way to configure Snort to use a HOME_NET that only includes the subnets I designate as the HOME_NET?

    Our PCI auditor wants the IDS to run on internal interfaces, not on external.  This means I need to figure out how to get the internal subnets the firewall is aware of to stop ignoring inspection with Snort.  As far as I can tell, anything in the HOME_NET is automatically ignored.

    I tried creating a new "homenet" NETLIST and setting that as the HOME_NET in the GUI, but it is still adding the internal subnets automatically.

    Thanks.


Locked