RE: Home_net & external_net

["Don" <Don () WeberOnTheWeb com>]

erek, what would be wrong with doing as I suggested, the having 3 subnets as
home_net, and only wanting to ignroe alerts from 2 of those 3 subnets, is
exactly why i have/use the trusted_net variable, which makes it where i can
add/subtract IP's from there as necessary, this allows both, home_net to
consist of all subnets, and allows the ability to gather alerts from the
subnet he wants alerts on. creating the trusted_net variable has saved me
lots of headeaches in stuff like this, where an IP is in my home_net and i
wish to have alerts from it, I also create the same type of variables for
trusted_smtp trusted_sql etc... so that just anything in home-net is not
automatically ignored when it comes to alerts from those type of services. I
also use a suspect_net variable that i can add IP's to. it helps narrowing
things down a bit.

don


> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net
> > [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams
> > Sent: Friday, December 06, 2002 7:21 AM
> > To: Jeremy Finke
> > Cc: snort-users () lists sourceforge net
> > Subject: RE: [Snort-users] Home_net & external_net
> >
> >
> > On Fri, 6 Dec 2002, Jeremy Finke wrote:
> >
> > > Except that I want to view 192.168.41.0 as both an attacking and
> > > protected network.
> >
> > Ok, well that's not clear from your original info.
> >
> > [I'm short on cofee today, so all brain cells may not be firing...]
> >
> > What you're doing now:
> >
> > > var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
> > > var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]
> >
> > Wouldn't work the way you want.  If it does work and is valid (I'm too
> > lazy to dig into the source right now) it is the same as setting EXTERNAL
> > to !$HOME_NET.
> >
> > You might want to consider running another instance of snort
> > that is setup
> > to just watch the 192.168.41.0 net.  Setup one as external as !$HOME on
> > one, then use 'any' on the second.
> >
> > Granted it's not optimal, bit it would work.
> >
> > Cheers!
> >
> > -----
> > Erek Adams
> > Nifty-Type-Guy
> > TheAdamsFamily.Net
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users