Snort mailing list archives

Previous By Date Next
Previous By Thread Next

external_net vs !home_net

From: charella constansia <sharella () yahoo com>
Date: Fri, 27 Sep 2002 12:38:24 -0700 (PDT)
hai,

I've been dealing with this for a while. I want to
know if I'm doing something wrong or if it's a bug in
Snort.

I'm running snort sensor(1.8.7) on RedHat7.3. 

My snort.conf:
$HOME_NET [xx,xx,xx,xx/24,yy,yy,yy,yy/24,and a few
more]
$EXTERNAL_NET !$HOME_NET.

If I write a alert:
alert tcp $HOME_NET any -> $EXTERNAL_NET any
(msg:"bla";)
This rule will also catch traffic from my internal net
to my internal net, and I will get too much false
positives.
But if i write it like below:
alert tcp $HOME_NET any -> !$HOME_NET any (msg:"bla";)
it won't catch it.

Is this a bug in snort if you have multiple subnets in
your HOME_NET.

Please help me, 

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: