Snort mailing list archives
Re: snort.conf
From: spiv007 <spiv007 () gmail com>
Date: Thu, 13 Jan 2005 16:38:41 -0500
Right that what im wondering will "var EXTERNAL_NET !$HOME_NET" show me an internet address attaching another internal address. Im using bleeding rules to detect virus and spyware. I was thinking "var EXTERNAL_NET any" will be my best option for this case. ? On Thu, 13 Jan 2005 14:51:31 -0500, Esler, Joel - Contractor <joel.esler () rcert-s army mil> wrote:
Yeah. What you said. You said what I wanted to say. <takes valium> J -----Original Message----- From: Paul Schmehl [mailto:pauls () utdallas edu] Sent: Thursday, January 13, 2005 2:34 PM To: Esler, Joel - Contractor; spiv007; Snort-users () lists sourceforge net Subject: RE: [Snort-users] snort.conf --On Thursday, January 13, 2005 10:36:00 AM -0500 "Esler, Joel - Contractor" <joel.esler () rcert-s army mil> wrote:IIRC, External_net set to any (if you have Home_net defined) is the same as your statement belowHuh? Are you certain? Any should mean any IP at all, which would include HOME_NET addresses. This would mean, for example, an internal address "attacking" another internal address would trigger an alert configured to alert from external to internal. I don't think that's what most people want. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listsnort-users
------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort.conf spiv007 (Jan 12)
- Re: snort.conf Paul Schmehl (Jan 13)
- Re: snort.conf Jose Maria Lopez (Jan 13)
- <Possible follow-ups>
- snort.conf spiv007 (Jan 13)
- RE: snort.conf Esler, Joel - Contractor (Jan 13)
- RE: snort.conf Paul Schmehl (Jan 13)
- RE: snort.conf Esler, Joel - Contractor (Jan 13)
- Re: snort.conf spiv007 (Jan 13)
- Re: snort.conf Frank Knobbe (Jan 13)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf Paul Schmehl (Jan 14)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf Leon Ward (Jan 14)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf spiv007 (Jan 13)