Snort mailing list archives
RE: Snort.conf question $HOME_NET Question V1.8.6
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Tue, 14 May 2002 17:02:41 -0400
If all of your addresses contiguous like you have listed below, condense them in to smaller CIDR block[s]. A single CIDR of 10.10.0.0/17 will cover you from 10.10.0.0 -> 10.10.127.255. vjl -----Original Message----- From: Rose, Jerry L SAJ Contractor [mailto:Jerry.L.Rose () saj02 usace army mil] Sent: Tuesday, May 14, 2002 4:27 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Snort.conf question $HOME_NET Question V1.8.6 Running on Linux (RedHat 7.2) - Snort 1.8.6 My home network (internal network addresses) runs as follows (not my real addresses)... 10.10.10.0/24 10.10.11.0/24 10.10.12.0/24 and so on and so forth for about 70 entries. If I try this in snort.conf... var Home_NET [10.10.10.0/24,10.10.11.0/24,10.10.12.0/24,the rest through10.10.80.0/24] then snort will not run. I'm using this format below. Snort runs, but it seems that the variable HOME_NET isn't really what I think I am telling it to be. var NET_01 [10.10.10.0/24,10.10.11.0/24,10.10.12.0/24...........10.10.30.0/24] var NET_02 [10.10.31.0/24,10.10.32.0/24,10.10.33.0/24...........10.10.60.0/24] var NET_03 [10.10.61.0/24,10.62.10.0/24,10.10.63.0/24...........10.10.80.0/24] var HOME_NET $NET_01 $NET_02 $NET_03 var EXTERNAL_NET !$HOME_NET Alerts like $EXTERNAL_NET any > $HOME_NET any are being logged even though the packets are coming from internal addresses - what I intended to be included in $HOME_NET. Any Ideas? jerry.l.rose () usace army mil
Current thread:
- Snort.conf question $HOME_NET Question V1.8.6 Rose, Jerry L SAJ Contractor (May 14)
- <Possible follow-ups>
- RE: Snort.conf question $HOME_NET Question V1.8.6 larosa, vjay (May 14)