Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Home_net & external_net

From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 6 Dec 2002 07:21:29 -0800 (PST)
On Fri, 6 Dec 2002, Jeremy Finke wrote:


Except that I want to view 192.168.41.0 as both an attacking and
protected network.


Ok, well that's not clear from your original info.

[I'm short on cofee today, so all brain cells may not be firing...]

What you're doing now:


var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]


Wouldn't work the way you want.  If it does work and is valid (I'm too
lazy to dig into the source right now) it is the same as setting EXTERNAL
to !$HOME_NET.

You might want to consider running another instance of snort that is setup
to just watch the 192.168.41.0 net.  Setup one as external as !$HOME on
one, then use 'any' on the second.

Granted it's not optimal, bit it would work.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: