Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: home_net and external_net: how to use ! with multiple subnets ?

From: "Tony Bunce" <tonyb () go-concepts com>
Date: Wed, 20 Aug 2003 10:13:51 -0400
Will this work? (I would try but my snort box is down at the moment)
var EXTERNAL_NET !$HOME_NET


Thanks,
Tony B, CCNA, Network+
Systems Administration
GO Concepts, Inc. / www.go-concepts.com
Are you on the GO yet?
What about those you know, are they on the GO?
513.934.2800
1.888.ON.GO.YET


-----Original Message-----
From: Tom Van Overbeke [mailto:tvanoverbeke () ccncsi net] 
Sent: Wednesday, August 20, 2003 7:46 AM
To: 'cc'; snort-users () lists sourceforge net
Subject: RE: [Snort-users] home_net and external_net: how to use ! with
multiple subnets ?



on the internal side, we have various lan's / dmz's etc,

the external ip

interface (public ip adress) is connected to a hub, on

which another public

ip adress (that i also want to consider as 'home_net' is connected.

Now i'd like to consider external net as 'everything that

is not home_net',

but i can't get the syntax right. so for the moment i have

only excluded our

main lan in external net.
the problem being that alot of false alerts are logged that

come from the

other local subnets.

this is my current definition:

var HOME_NET


[172.21.0.0/16,172.16.208.0/27,172.16.208.32/27,195.xxx.xxx.xx
x/32,195.xxx.x

xx.xxx/32]
var EXTERNAL_NET !172.21.0.0/16


Two possible minor things come to my mind:

1)  Why have you repeated 195.xxx.xxx.xxx/32 twice?  Typo I take it?


No, there's actually 2 public ip adresses listed there.



2) Wouldn't it be?
   var EXTERNAL_NET !HOME_NET

I'm not too sure about that last one, but it certainly sounds
logical.


Yes, it would seem so, but when i tried it, i got this error message:

Aug 20 13:41:06 pitbull snort: FATAL ERROR: ERROR
./snort.org-rules/bad-traffic.rules(12): Couldn't resolve hostname
HOME_NET

So it will have to be a combination of ! [] and , i'm afraid, but the
things
i tried seemed to work (no error), but didn't give the desired result.
or
maybe it's not even possible ?


anyone who's in the know, please come forward.


thx,


Tom.

************************************************************************
****
Disclaimer: 
This electronic transmission and any files attached to it are strictly 
confidential and intended solely for the addressee. If you are not 
the intended addressee, you must not disclose, copy or take any
action in reliance of this transmission. If you have received this 
transmission in error, please notify the sender by return and delete
the transmission.  Although the sender endeavors to maintain a
computer virus free network, the sender does not warrant that this
transmission is virus-free and will not be liable for any damages 
resulting from any virus transmitted. 
Thank You.
************************************************************************
****



-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
best hiring companies. http://www.dice.com/index.epl?rel_code=104
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
best hiring companies. http://www.dice.com/index.epl?rel_code4
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: