Snort mailing list archives

Re: Setting the Home and External Net variables

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Fri, 13 Apr 2012 10:08:36 -0600

Hi,

Yes, that won't work.  What I had to do is use the multiple configuration feature of snort.  Example:

config binding: /etc/snort/snort-fw.conf net [10.12.100.100]

First config:

HOME_NET [10.0.0.0/8]
EXTERNAL_NET any

Second config:

HOME_NET any
EXTERNAL_NET [10.12.100.100]

Maybe this isn't the best way to do it, but it worked for me.  My understanding is that this treats (in my case) my 
proxy server, as EXTERNAL_NET.




From: Dheeraj Gupta [mailto:dheeraj.gupta4 () gmail com]
Sent: Thursday, April 12, 2012 10:56 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Setting the Home and External Net variables

Hi,
I have a snort sensor that monitors one of my networks. The said network is actually a collection of a few 10.x.y.0/24 
networks which can grow further in future. So I thought 10.0.0.0/8<http://10.0.0.0/8> is a good enough approximation 
for my home_net. However, keeping the firewall 10.12.100.100 in HOME_NET wouldn't make much sense (Since the sensor 
actually listens between the firewall and 10 network core switch). SO I configured this
HOME_NET [10.0.0.0/8,!10.12.100.100<http://10.0.0.0/8,!10.12.100.100>]

Now for the external_net, I can either
1) Set EXTERNAL_NET any - This helps me in monitoring rougue internal nodes
2) Set external_NET to some specific values

Since I mirror a top level switch, there is not point in using 'any' as not all the intra-network traffic will be seen 
(And it leads to a lot of false positives)
But setting EXTERNAL_NET !$HOME_NET gives me an error.
ERROR: /etc/snort/snort.conf(48) Negated IP ranges that are more general than non-negated ranges are not allowed. 
Consider inverting the logic in EXTERNAL_NET
 How can I accurately set my HOME_NET and EXTERNAL_NET?

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Setting the Home and External Net variables Dheeraj Gupta (Apr 12)
- Re: Setting the Home and External Net variables Jefferson, Shawn (Apr 13)
- Re: Setting the Home and External Net variables Kevin Ross (Apr 14)