Snort mailing list archives

RE: disable spp_portscan2

From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Tue, 18 Mar 2003 16:59:00 -0500

Yes, the "any" in 

    var EXTERNAL_NET any 

includes HOME_NET.  If you want EXTERNAL_NET to exclude HOME_NET, just
negate HOME_NET like so:  

    var EXTERNAL_NET !$HOME_NET  

- Christopher 


-----Original Message-----
From: John Sage [mailto:jsage () finchhaven com]
Sent: Tuesday, March 18, 2003 3:58 PM
To: Erek Adams
Cc: snort
Subject: Re: [Snort-users] disable spp_portscan2


Erek:

Here's a chance to ask a question I've had...

On or about Tue, Mar 18, 2003 at 11:46:06AM -0500, Erek Adams posited:

On Tue, 18 Mar 2003, John Sage wrote:

Erek, et al:


<snip>

As it's done above, you're setting EXTERNAL_NET to HOME_NET.  That
basically turns most rules into "if from this host to this host."

Now if that's what is really intended:

      var HOME_NET $lo0_ADDRESS
      var EXTERNAL_NET any


Does the "any" for EXTERNAL_NET include HOME_NET, or does it really
mean "any other"?



- John
-- 
"You must define an operating system environment,
 or the configuration file build will puke."

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

Current thread:

Re: disable spp_portscan2, (continued)
- - - Re: disable spp_portscan2 Erek Adams (Mar 18)
    - Re: disable spp_portscan2 Xue Wu (Mar 18)
    - Re: disable spp_portscan2 Erek Adams (Mar 18)
    - Re: disable spp_portscan2 Xue Wu (Mar 18)
    - Re: disable spp_portscan2 Erek Adams (Mar 18)
    - Re: disable spp_portscan2 Demetri Mouratis (Mar 18)
    - Re: disable spp_portscan2 Erek Adams (Mar 18)
  - Re: disable spp_portscan2 Erek Adams (Mar 18)
    - Re: disable spp_portscan2 John Sage (Mar 18)
    - Re: disable spp_portscan2 Erek Adams (Mar 18)
- RE: disable spp_portscan2 L. Christopher Luther (Mar 18)