Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HOME_NET and EXTERNAL_NET variables

From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 1 Nov 2001 11:23:29 -0800 (PST)
On Thu, 1 Nov 2001, Merrick, Gary wrote:


Yes, this is a total newbie question, but I figured this is the right
place to ask it.


No, it's not.  We flog all newbies with streams of Electrons until they bow
down to the power of Snort.

;-)


What is the purpose of the HOME_NET and EXTERNAL_NET variables that are
defined in snort.conf?  Does it change the formatting of the alerts?  Or
perhaps turn off the scanning of packets originating from an internal
network?  Or something else?


Answer D)  A mixture.  :)


I would imagine this would be a fairly straightforward process to define
them if one had an extremely simple network architecture.  But my
ultimate aim is to be able to monitor 3 or 4 networks.  In such a case,
what is considered "home" and what is "external"?


HOME_NET and EXTERNAL_NET are basically exactly what they say.  Anything
inside a range that you wish to call 'home' should be defined as HOME_NET.
This defines your local net(s).  Your 'area of watching' you could say.

EXTERNAL_NET is just the opposite.  It's where you want to watch for things
coming from.  If you go to the rules and look you'll see a lot of rules that
break down to something like "If a packet comes in from EXTERNAL_NET and is
going to HOME_NET and has these patterns/flags/content, then alert someone."

My suggestion:

  var HOME_NET 10.1.1.0/24    (Or whatever your range(s) are.)
  var EXTERNAL_NET !$HOME_NET   (Everything but HOME_NET)

Here's a FAQ link for what you want to do with the multi subnets:

http://www.snort.org/docs/faq.html#3.3


Any guidance would be much appreciated.


http://www.snort.org/
http://www.snort.org/docs/faq.html              (Slightly older version)
http://www.theadamsfamily.net/~erek/snort/FAQ   (Copy I yanked from CVS)
http://www.snort.org/docs/writing_rules/
http://www.snort.org/docs/SnortUsersManual.pdf

And of course:  The Source Code!  :)

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: