RE: Home_net & external_net

["Don" <Don () WeberOnTheWeb com>]

Home_net & external_neti'm not sure if you can have the ANY there inside
that parenths, mayb try a trusted_net variable, since your excluding one
segment of your home_net
do
var TRUSTED_NET [192.168.40.0/24,!10.14.0.0/16]
var EXTERNAL_NET  !$TRUSTED_NET

don

  -----Original Message-----
  From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jeremy Finke
  Sent: Thursday, December 05, 2002 4:20 PM
  To: snort-users () lists sourceforge net
  Subject: [Snort-users] Home_net & external_net


  I have something that is driving me crazy.

  I have alerts going off from within two different segments of my HOME_NET.
I don't understand why I am seeing these.  Here are the 2 lines from my
snort.conf:

  var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
  var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]

  I have an alert from 10.14.1.50 going to 192.168.40.65 that is SNMP
request udp.  Why is that showing up?  Since they are both HOME_NET
networks, shouldn't snort not log this type of activity?

  I also have other examples:
   #7-(2-1418) [arachnids][snort] ICMP L3retriever Ping 2002-12-05 18:13:15
10.14.1.50 192.168.40.67 ICMP
   #9-(2-1426) [cve][icat][arachnids][snort] TELNET access 2002-12-05
18:15:41 192.168.40.53:23 10.14.14.182:1925
  Thanks!



  Jeremy T. Finke
  Systems Engineer
  Meridian IQ