Snort mailing list archives
Re: HOME_NET and EXTERNAL_NET
From: Tim Slighter <tslighter () itc nrcs usda gov>
Date: Wed, 01 Dec 2004 15:38:26 -0700
you couldthe HOME_NET such as this: var CLASS_C [192.168.1.0/24,192.168.2.0/24] and then var EXTERNAL_NET !$HOME_NETHowever, if you need to monitor traffic for a class B but only interested in seeing attacks for Class C within that Class B then you might want to define a custom variable prior to the EXTERNAL_NET:
var HOME_NET 192.168.0.0 var CLASS_C [192.168.1.0/24,192.168.2.0/24] var EXTERNAL_NET !$HOME_NETthen you would use that variable in place of HOME_NET in your rules files...or extract the rules that apply to this Class C and create a new rules file and use the $CLASS_C in place of $HOME_NET in that rules file. Make sure to add the rules file into the snort.conf file so that it is used.
JAMIE CRAWFORD wrote:
Thanks for the reply, but that will still show me attacks coming from my class b. For some reason, I see alerts originating from and going to my class b, all I want to see is alerts about attacks made toward my two class c's, from anything but my class b. I know, a bit confusing. thanks, jamie"M. Shirk" <shirkdog_list () hotmail com> 12/01/04 03:18PM >>>try this: var EXTERNAL_NET !HOME_NET Shirkdoghttp://www.shirkdog.us_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it'sFREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________Snort-users mailing listSnort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- RE: HOME_NET and EXTERNAL_NET M. Shirk (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- Re: HOME_NET and EXTERNAL_NET M. Shirk (Dec 02)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- <Possible follow-ups>
- RE: HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- RE: HOME_NET and EXTERNAL_NET Paul Schmehl (Dec 01)
- Re: HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Matt Kettler (Dec 01)
- RE: HOME_NET and EXTERNAL_NET Joe Patterson (Dec 01)
- HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 02)
- RE: HOME_NET and EXTERNAL_NET M. Shirk (Dec 01)