By default, the variables (set on a per sensor basis) are declared with the value any. This matches any IP address. While this value works, it may cause a large number of false positive alerts.
The steps involved in setting or changing the IDS variables are:
- Click on the LANGuardian menu bar and select Sensors.
- Click the Settings link for the sensor you want to modify.
- Click Configure IDS.
- Find the network variable.
- Specify a setting (see some examples below).
- Click Save.
Port 80 is the default HTTP port. You may enter either a single number or a comma-separated range of ports to be monitored for example 80,8080,3128
SMTP_SERVERS The IP address or addresses of the servers which are hosting mail servers in your network for example [184.108.40.206/24].
HOME_NET Use this to specify the IP addresses of the systems you are protecting. The IP address or addresses which you use as your home network addresses for example [220.127.116.11/24,18.104.22.168/16].
Setting specific IP addresses and port numbers goes a long way towards reducing the number of false positives that Snort generates.
Should you wish to alter the IDS variables, and the examples above don't help, please contact us on firstname.lastname@example.org any time.
NetFort Support Team
Be the first to post a reply!