RE: Home_net & external_net

["Jeremy Finke" <Jeremy.Finke () MeridianIQ com>]

Don,
Thanks!  This looks like the winner.. 
 
However, I don't understand why setting up:
var TRUSTED_NET [192.168.40.0/24,10.14.0.0/16]
var EXTERNAL_NET !$TRUSTED_NET

Is any different than:
var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]
 

        -----Original Message----- 
        From: Don [mailto:Don () WeberOnTheWeb com] 
        Sent: Fri 12/6/2002 10:39 AM 
        To: Erek Adams; Jeremy Finke 
        Cc: snort-users () lists sourceforge net 
        Subject: RE: [Snort-users] Home_net & external_net
        
        

        erek, what would be wrong with doing as I suggested, the having 3 subnets as
        home_net, and only wanting to ignroe alerts from 2 of those 3 subnets, is
        exactly why i have/use the trusted_net variable, which makes it where i can
        add/subtract IP's from there as necessary, this allows both, home_net to
        consist of all subnets, and allows the ability to gather alerts from the
        subnet he wants alerts on. creating the trusted_net variable has saved me
        lots of headeaches in stuff like this, where an IP is in my home_net and i
        wish to have alerts from it, I also create the same type of variables for
        trusted_smtp trusted_sql etc... so that just anything in home-net is not
        automatically ignored when it comes to alerts from those type of services. I
        also use a suspect_net variable that i can add IP's to. it helps narrowing
        things down a bit.
        
        don
        
        
        > >-----Original Message-----
        > >From: snort-users-admin () lists sourceforge net
        > >[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams
        > >Sent: Friday, December 06, 2002 7:21 AM
        > >To: Jeremy Finke
        > >Cc: snort-users () lists sourceforge net
        > >Subject: RE: [Snort-users] Home_net & external_net
        > >
        > >
        > >On Fri, 6 Dec 2002, Jeremy Finke wrote:
        > >
        > >> Except that I want to view 192.168.41.0 as both an attacking and
        > >> protected network.
        > >
        > >Ok, well that's not clear from your original info.
        > >
        > >[I'm short on cofee today, so all brain cells may not be firing...]
        > >
        > >What you're doing now:
        > >
        > >> var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
        > >> var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]
        > >
        > >Wouldn't work the way you want.  If it does work and is valid (I'm too
        > >lazy to dig into the source right now) it is the same as setting EXTERNAL
        > >to !$HOME_NET.
        > >
        > >You might want to consider running another instance of snort
        > >that is setup
        > >to just watch the 192.168.41.0 net.  Setup one as external as !$HOME on
        > >one, then use 'any' on the second.
        > >
        > >Granted it's not optimal, bit it would work.
        > >
        > >Cheers!
        > >
        > >-----
        > >Erek Adams
        > >Nifty-Type-Guy
        > >TheAdamsFamily.Net
        > >
        > >
        > >-------------------------------------------------------
        > >This sf.net email is sponsored by:ThinkGeek
        > >Welcome to geek heaven.
        > >http://thinkgeek.com/sf
        > >_______________________________________________
        > >Snort-users mailing list
        > >Snort-users () lists sourceforge net
        > >Go to this URL to change user options or unsubscribe:
        > >https://lists.sourceforge.net/lists/listinfo/snort-users
        > >Snort-users list archive:
        > >http://www.geocrawler.com/redir-sf.php3?list=snort-users
        > >