Snort mailing list archives
RE: variable problem
From: "Jim Cervantes" <jcervant () umbranetworks com>
Date: Mon, 16 Jun 2003 14:01:18 -0400
Since every address matches either !10.6.0.0/24, !10.5.0.0/24 or both, isn't your suggestion of setting EXTERNAL_NET to [!10.6.0.0/24,!10.5.0.0/24] equivalent to setting it to any? -Jim -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Erek Adams Sent: Monday, June 16, 2003 12:53 PM To: Brian Hughes Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] variable problem On Mon, 16 Jun 2003, Brian Hughes wrote:
I'm having a problem with the EXTERNAL_NET variable. We have two networks 10.5 and 10.6 Right now the IDS machine is listening for all traffic coming into the 10.6 network. I'm trying to set things up so that Snort will only alert for traffic coming into 10.6 from outside 10.6 and 10.5. Here is how I have my snort.conf variables defined. HOME_NET 10.6.0.0/24 EXTERNAL_NET [!10.6.0.0/24,!10.5.0.0/24]
That's set correctly.
(I also tried setting it to ![10.6.0.0/24,10.5.0.0/24] but it didn't work either). From looking through the archives I was thinking this would work, but it is still showing alerts being triggered by machines in the 10.6 network with destinations of the 10.5 network. The only signature it is doing this for is the spp_portscan2 alert.
That's not a signature. That's an alert generated by the portscan2 preprocessor. portscan2 doesn't use HOME_NET or EXTERNAL_NET for anything. For that, you need to use portscan2-ignorehosts. Have a look at this [0] email from the archives for some more info. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://marc.theaimsgroup.com/?l=snort-users&m=105104781609557&w=2 ------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- variable problem Brian Hughes (Jun 16)
- Re: variable problem Erek Adams (Jun 16)
- RE: variable problem Jim Cervantes (Jun 16)
- RE: variable problem Erek Adams (Jun 17)
- Re: variable problem Matt Kettler (Jun 17)
- RE: variable problem Jim Cervantes (Jun 16)
- <Possible follow-ups>
- RE: variable problem adam.w.hogan (Jun 16)
- RE: variable problem Brian Hughes (Jun 17)
- Re: variable problem Erek Adams (Jun 16)