![snort logo](/images/snort-logo.png)
Snort mailing list archives
RE: Home_net & external_net
From: "Jeremy Finke" <Jeremy.Finke () MeridianIQ com>
Date: Fri, 6 Dec 2002 11:21:14 -0600
Don, Thanks! This looks like the winner.. However, I don't understand why setting up: var TRUSTED_NET [192.168.40.0/24,10.14.0.0/16] var EXTERNAL_NET !$TRUSTED_NET Is any different than: var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16] -----Original Message----- From: Don [mailto:Don () WeberOnTheWeb com] Sent: Fri 12/6/2002 10:39 AM To: Erek Adams; Jeremy Finke Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Home_net & external_net erek, what would be wrong with doing as I suggested, the having 3 subnets as home_net, and only wanting to ignroe alerts from 2 of those 3 subnets, is exactly why i have/use the trusted_net variable, which makes it where i can add/subtract IP's from there as necessary, this allows both, home_net to consist of all subnets, and allows the ability to gather alerts from the subnet he wants alerts on. creating the trusted_net variable has saved me lots of headeaches in stuff like this, where an IP is in my home_net and i wish to have alerts from it, I also create the same type of variables for trusted_smtp trusted_sql etc... so that just anything in home-net is not automatically ignored when it comes to alerts from those type of services. I also use a suspect_net variable that i can add IP's to. it helps narrowing things down a bit. don > >-----Original Message----- > >From: snort-users-admin () lists sourceforge net > >[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams > >Sent: Friday, December 06, 2002 7:21 AM > >To: Jeremy Finke > >Cc: snort-users () lists sourceforge net > >Subject: RE: [Snort-users] Home_net & external_net > > > > > >On Fri, 6 Dec 2002, Jeremy Finke wrote: > > > >> Except that I want to view 192.168.41.0 as both an attacking and > >> protected network. > > > >Ok, well that's not clear from your original info. > > > >[I'm short on cofee today, so all brain cells may not be firing...] > > > >What you're doing now: > > > >> var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16] > >> var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16] > > > >Wouldn't work the way you want. If it does work and is valid (I'm too > >lazy to dig into the source right now) it is the same as setting EXTERNAL > >to !$HOME_NET. > > > >You might want to consider running another instance of snort > >that is setup > >to just watch the 192.168.41.0 net. Setup one as external as !$HOME on > >one, then use 'any' on the second. > > > >Granted it's not optimal, bit it would work. > > > >Cheers! > > > >----- > >Erek Adams > >Nifty-Type-Guy > >TheAdamsFamily.Net > > > > > >------------------------------------------------------- > >This sf.net email is sponsored by:ThinkGeek > >Welcome to geek heaven. > >http://thinkgeek.com/sf > >_______________________________________________ > >Snort-users mailing list > >Snort-users () lists sourceforge net > >Go to this URL to change user options or unsubscribe: > >https://lists.sourceforge.net/lists/listinfo/snort-users > >Snort-users list archive: > >http://www.geocrawler.com/redir-sf.php3?list=snort-users > >
Current thread:
- Home_net & external_net Jeremy Finke (Dec 05)
- RE: Home_net & external_net Don (Dec 05)
- Re: Home_net & external_net Erek Adams (Dec 05)
- <Possible follow-ups>
- RE: Home_net & external_net Jeremy Finke (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- RE: Home_net & external_net Don (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- RE: Home_net & external_net Jeremy Finke (Dec 06)
- RE: Home_net & external_net Erek Adams (Dec 06)
- Re: Home_net & external_net Jens Krabbenhoeft (Dec 09)
- RE: Home_net & external_net Jeremy Finke (Dec 06)
- RE: Home_net & external_net Don (Dec 06)