Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort.conf

From: spiv007 <spiv007 () gmail com>
Date: Fri, 14 Jan 2005 09:39:10 -0500
HOME_NET -> [192.168.0.0/24]
EXTERNAL_NET !$HOME_NET

So by doing the above i'm jusr letting snort now 192.168.0.0 is mu
home network and my external is any but my "home_network"  and snort
will still report problems on my home network too.

?


On Thu, 13 Jan 2005 16:29:52 -0600, Frank Knobbe <frank () knobbe us> wrote:

On Thu, 2005-01-13 at 16:38 -0500, spiv007 wrote:

Right that what im wondering will "var EXTERNAL_NET !$HOME_NET" show
me an internet address attaching another internal address.

Im using bleeding rules to detect virus and spyware.  I was thinking
"var EXTERNAL_NET any" will be my best option for this case.


If you want to catch HOME_NET -> HOME_NET, then yes.

Or you can mix them. I have snort.conf's that first set EXTERNAL_NET to
HOME_NET, then include various rule sets, and then set EXTERNAL_NET to
any, and include some selected rule sets.

If all depends on what YOU want to catch.

Cheers,
Frank

PS: I wonder what would happen if I set "var HOME_NET !$EXTERNAL_NET" ;)






-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: