Snort mailing list archives
Re: Upgraded to 2.8.6 and external network addresses
From: "Burks, Doug" <doug.burks () morris com>
Date: Thu, 29 Apr 2010 16:56:54 -0400
Hi James, I think you're misunderstanding the purpose of EXTERNAL_NET. Quoting from http://seclists.org/snort/2007/q1/3 : "HOME_NET is a list of systems you are interested in protecting. EXTERNAL_NET is a list of systems you are interested in protecting HOME_NET from." Regards, Doug Burks -----Original Message----- From: James R. Marcus [mailto:jmarcus () edhance com] Sent: Thursday, April 29, 2010 4:46 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Upgraded to 2.8.6 and external network addresses Hi, Pretty new to Snort. I upgraded to 2.8.6 today and I'm running on Cent OS 5.3 64-bit. In reality I didn't upgrade, I removed (not uninstalled) all the Snort binaries from my system and then installed an RPM of 2.8.6. I copied a fair amount of my configuration from the snort.conf of my earlier version. I specified my Web servers, telnet servers (phone system), etc in the configuration. Then I came to the EXTERNAL_NET variable and looked at the IPs assigned to my routers. I added the the CIDR nets we were assigned. So now I'm getting a lot fewer alerts, is that because of the additonal detail I provided for network services and external networks? I know it says a good start may be "any" but is that because some people don't know their external CIDR net? There aren't my real IPs: # Set up the external network addresses. A good start may be "any" var EXTERNAL_NET [67.89.243.208/28,64.112.133.96/27,66.47.194.100/30] Thanks, James ------------------------------------------------------------------------ ------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alternative to BASE Curt Shaffer (Apr 28)
- Re: Alternative to BASE Kevin Johnson (Apr 28)
- Re: Alternative to BASE Curt Shaffer (Apr 28)
- Re: Alternative to BASE Kevin Johnson (Apr 28)
- Re: Alternative to BASE Curt Shaffer (Apr 28)
- Re: Alternative to BASE Stephen Mullins (Apr 28)
- Re: Alternative to BASE Jeff Kell (Apr 28)
- Re: Alternative to BASE Bamm Visscher (Apr 28)
- Re: Alternative to BASE Stephen Mullins (Apr 28)
- Upgraded to 2.8.6 and external network addresses James R. Marcus (Apr 29)
- Re: Upgraded to 2.8.6 and external network addresses Burks, Doug (Apr 29)
- Re: Upgraded to 2.8.6 and external network addresses James R. Marcus (Apr 29)
- Re: Upgraded to 2.8.6 and external network addresses Nick Moore (Apr 29)
- Re: Alternative to BASE Jeff Kell (Apr 28)
- Re: Alternative to BASE Kevin Johnson (Apr 28)