RE: Snort.conf question $HOME_NET Question V1.8.6

["larosa, vjay" <larosa_vjay () emc com>]

If all of your addresses contiguous like you have listed below, condense
them in to smaller CIDR block[s].
A single CIDR of  10.10.0.0/17 will cover you from 10.10.0.0 ->
10.10.127.255.
 
vjl

-----Original Message-----
From: Rose, Jerry L SAJ Contractor
[mailto:Jerry.L.Rose () saj02 usace army mil]
Sent: Tuesday, May 14, 2002 4:27 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Snort.conf question $HOME_NET Question V1.8.6



Running on Linux (RedHat 7.2) - Snort 1.8.6 
My home network (internal network addresses) runs as 
follows (not my real addresses)... 
10.10.10.0/24 
10.10.11.0/24 
10.10.12.0/24 
and so on and so forth for about 70 entries. 

If I try this in snort.conf... 
var Home_NET [10.10.10.0/24,10.10.11.0/24,10.10.12.0/24,the rest
through10.10.80.0/24] 
then snort will not run. 

I'm using this format below. Snort runs, but it seems that the 
variable HOME_NET isn't really what I think I am telling it to be. 
var NET_01
[10.10.10.0/24,10.10.11.0/24,10.10.12.0/24...........10.10.30.0/24] 
var NET_02
[10.10.31.0/24,10.10.32.0/24,10.10.33.0/24...........10.10.60.0/24] 
var NET_03
[10.10.61.0/24,10.62.10.0/24,10.10.63.0/24...........10.10.80.0/24] 

var HOME_NET $NET_01 $NET_02 $NET_03 

var EXTERNAL_NET !$HOME_NET 

Alerts like $EXTERNAL_NET any > $HOME_NET any are being logged even though 
the packets are coming from internal addresses - what I intended to be 
included in $HOME_NET. 

Any Ideas? 

jerry.l.rose () usace army mil