Snort mailing list archives

Re: Upgraded to 2.8.6 and external network addresses

From: "Burks, Doug" <doug.burks () morris com>
Date: Thu, 29 Apr 2010 16:56:54 -0400

Hi James,

I think you're misunderstanding the purpose of EXTERNAL_NET.  Quoting
from http://seclists.org/snort/2007/q1/3 :
"HOME_NET is a list of systems you are interested in protecting.
EXTERNAL_NET is a list of systems you are interested in protecting
HOME_NET from."

Regards,
Doug Burks

-----Original Message-----
From: James R. Marcus [mailto:jmarcus () edhance com] 
Sent: Thursday, April 29, 2010 4:46 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Upgraded to 2.8.6 and external network addresses

Hi,
Pretty new to Snort. I upgraded to 2.8.6 today and I'm running on Cent
OS 5.3 64-bit. In reality I didn't upgrade, I removed (not uninstalled)
all the Snort binaries from my system and then installed an RPM of
2.8.6. I copied a fair amount of my configuration from the snort.conf of
my earlier version.  I specified my Web servers, telnet servers (phone
system), etc in the configuration.  Then I came to the EXTERNAL_NET
variable and looked at the IPs assigned to my routers. I added the the
CIDR nets we were assigned.  So now I'm getting a lot fewer alerts, is
that because of the additonal detail I provided for network services and
external networks?

I know it says a good start may be "any" but is that because some people
don't know their external CIDR net?


There aren't my real IPs:


# Set up the external network addresses.  A good start may be "any"
var EXTERNAL_NET [67.89.243.208/28,64.112.133.96/27,66.47.194.100/30]



Thanks,
James
------------------------------------------------------------------------
------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Alternative to BASE Curt Shaffer (Apr 28)
- Re: Alternative to BASE Kevin Johnson (Apr 28)
  - Re: Alternative to BASE Curt Shaffer (Apr 28)
    - Re: Alternative to BASE Kevin Johnson (Apr 28)
- Re: Alternative to BASE Stephen Mullins (Apr 28)
  - Re: Alternative to BASE Jeff Kell (Apr 28)
    - Re: Alternative to BASE Bamm Visscher (Apr 28)
    - Re: Alternative to BASE Stephen Mullins (Apr 28)
    - Upgraded to 2.8.6 and external network addresses James R. Marcus (Apr 29)
    - Re: Upgraded to 2.8.6 and external network addresses Burks, Doug (Apr 29)
    - Re: Upgraded to 2.8.6 and external network addresses James R. Marcus (Apr 29)
    - Re: Upgraded to 2.8.6 and external network addresses Nick Moore (Apr 29)
- Re: Alternative to BASE Dustin Webber (Apr 28)