I'm not sure if I understand your question correctly, but in the snort.conf file, you should set $HOME_NET to 192.168.1.0/24 and EXTERNAL_NET to !$HOME_NET. I wouldn't recommend ignoring local traffic as Snort can do wonders for detecting malware trying to connect out from the host/host network. If you still get a lot of false positives, try and tweak the rules or create your own in order to get your desired results.
Jonathan Askew JBASKEW wrote: > I am new to IDS and have just set up snort on a ubuntu host. It has worked > well except for the fact that I am getting some false positivies from local > traffic on the network. I have been trying to find the solution on snort's > forums but the site seems to be going up and down randomly. I want to set a > rule in order to suppress/ignore local network traffic for 192.168.1.0/24. > I know this can be done in the /etc/threshold.conf file but have not been > able to do so successfully. Can someone be so kind as to post their > threshold.conf file or guide me through the process? > > Thanks, > Blake > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > > to learn more. > ------------------------------------------------------------------------ > > > __________ NOD32 2724 (20071214) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
