Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: home_net and external_net: how to use ! with multiple subnets ?

From: cc <cc () belfordhk com>
Date: Wed, 20 Aug 2003 18:04:23 +0800
Tom Van Overbeke wrote:

Hi,


We have installed snort on our firewall, listening on the external
interface.

on the internal side, we have various lan's / dmz's etc, the external ip
interface (public ip adress) is connected to a hub, on which another public
ip adress (that i also want to consider as 'home_net' is connected.

Now i'd like to consider external net as 'everything that is not home_net',
but i can't get the syntax right. so for the moment i have only excluded our
main lan in external net.
the problem being that alot of false alerts are logged that come from the
other local subnets.

this is my current definition:

var HOME_NET
[172.21.0.0/16,172.16.208.0/27,172.16.208.32/27,195.xxx.xxx.xxx/32,195.xxx.x
xx.xxx/32]
var EXTERNAL_NET !172.21.0.0/16


Two possible minor things come to my mind:

1)  Why have you repeated 195.xxx.xxx.xxx/32 twice?  Typo I take it?

2) Wouldn't it be?
   var EXTERNAL_NET !HOME_NET

I'm not too sure about that last one, but it certainly sounds
logical.




-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
best hiring companies. http://www.dice.com/index.epl?rel_code=104
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: