Snort mailing list archives
Re: snort.conf
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 13 Jan 2005 16:29:52 -0600
On Thu, 2005-01-13 at 16:38 -0500, spiv007 wrote:
Right that what im wondering will "var EXTERNAL_NET !$HOME_NET" show me an internet address attaching another internal address. Im using bleeding rules to detect virus and spyware. I was thinking "var EXTERNAL_NET any" will be my best option for this case.
If you want to catch HOME_NET -> HOME_NET, then yes. Or you can mix them. I have snort.conf's that first set EXTERNAL_NET to HOME_NET, then include various rule sets, and then set EXTERNAL_NET to any, and include some selected rule sets. If all depends on what YOU want to catch. Cheers, Frank PS: I wonder what would happen if I set "var HOME_NET !$EXTERNAL_NET" ;)
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- snort.conf spiv007 (Jan 12)
- Re: snort.conf Paul Schmehl (Jan 13)
- Re: snort.conf Jose Maria Lopez (Jan 13)
- <Possible follow-ups>
- snort.conf spiv007 (Jan 13)
- RE: snort.conf Esler, Joel - Contractor (Jan 13)
- RE: snort.conf Paul Schmehl (Jan 13)
- RE: snort.conf Esler, Joel - Contractor (Jan 13)
- Re: snort.conf spiv007 (Jan 13)
- Re: snort.conf Frank Knobbe (Jan 13)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf Paul Schmehl (Jan 14)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf Leon Ward (Jan 14)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf spiv007 (Jan 13)