Re: snort.conf & commandline.

[Erek Adams <erek () theadamsfamily net>]

On Mon, 8 Jul 2002, Rich Adamson wrote:

> My guess based on your comments is you probably want an equal sign
> in the var External_Net definition. Something like:
>   var EXTERNAL_NET = $HOME_NET,  or,
>   var EXTERNAL_NET != $HOME_NET
>
> If I've understood what you're trying to accomplish, the Home_Net should
> describe the IP addresses that you are trying to protect (or observe),
> and the External_Net is everything else (eg, !=).

First off, to answer Sander's earlier question:

        When -S is used, it does "overrride" or replace the variable before
the interpretation of the file.  So using -S on the command line would simply
set HOME_NET to whatever and then EXTERNAL_NET to the same.

Next:

        The two most common settings for EXTERNAL_NET are:

                var EXTERNAL_NET any
                var EXTERNAL_NET !$HOME_NET

        I use the second due to sensor placement.  If you're building
packages, then I would suggest to use that.  That implies "The internet minus
$HOME_NET" which is what I think you want.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Oh, it's good to be a geek.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users