Snort mailing list archives

Re: rules difficulty

From: Chris Green <cmg () uab edu>
Date: Sun, 28 Oct 2001 10:11:32 -0600

Greg Sarsons <gsarsons () home com> writes:

I'm having trouble getting my rule to do what I want.  It is simple all
I want is to log everything from this range ie see what traffic is
coming and going from the network.

the range is x.117.88.0 to x.117.95.255

I guess my confusion is over getting the correct HOME_NET and
EXTERNAL_NET variables.


Try

var $HOME_NET 192.117.88.0/20
var $EXTERNAL_NET !$HOME_NET


If your goal is to do all traffic, I'd just use something like tcpdump
and then use snort to investigate afterwards.
-- 
Chris Green <cmg () uab edu>
Fame may be fleeting but obscurity is forever.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

rules difficulty Greg Sarsons (Oct 28)
- Re: rules difficulty Martin Roesch (Oct 28)
  - Re: rules difficulty Greg Sarsons (Oct 28)
- Re: rules difficulty Chris Green (Oct 28)
  - How to find Snort pid for log rotate script James (Oct 28)
    - Re: How to find Snort pid for log rotate script Erek Adams (Oct 28)
    - RE: How to find Snort pid for log rotate script Martijn Heemels (Oct 28)
- <Possible follow-ups>
- Re: rules difficulty Jeremiah Cruit-Salzberg - HQ (Oct 28)