Snort mailing list archives
Re: Will Snort understand something like this?
From: hchlai () netscape net (Hin)
Date: Wed, 28 Sep 2005 10:37:39 -0400
If I do "var EXTERNAL_NET $DMZ_NET", then I would only see alerts from DMZ -> HOME. I would like to see alerts from
EXTERNAL to HOME as well as DMZ to HOME. Just like many of you from DC metropolitan area, I use routable IPs in my
HOME_NET too. =)
Anyhow, I just ran a test by using 2 custom sigs:
alert tcp $EXTERNAL_NET any -> $HOME_NET any ("msg:"Inbound tcp traffic"; sid:5000000;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ("msg:"Outbound tcp traffic"; sid:5000001;)
I guess Snort does interpret correctly as I can see traffic from EXTERNAL to HOME, DMZ to home and vice versa. However,
I'm interested to know, Joel, from my last question regarding VNC server reponse. If now I know that I have defined
EXTERNAL_NET and HOME_NET properly, what would be the cause of what I have seen?
Hin
Joel Esler <joel.esler () sourcefire com> wrote:
Why wouldn't you just do a var EXTERNAL_NET $DMZ_NET ?? Joel On Sep 28, 2005, at 9:53 AM, Hin wrote:Hi Snorters, I set the following in my snort.conf var HOME_NET 192.168.0.0/16 var DMZ_NET [192.168.5.0/24,192.168.10.0/24,192.168.15.0/24] var EXTERNAL_NET [!$HOME_NET,$DMZ_NET] Snort starts properly, but I don't know if Snort interprets EXTERNAL_NET correctly. Is there a way that I can find this information out? ps. Let's not try to understand how I get into this situation. Cheers, Hin __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/ register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Will Snort understand something like this? Hin (Sep 28)
- Re: Will Snort understand something like this? Joel Esler (Sep 28)
- Re: Will Snort understand something like this? Eric Maheo (Sep 28)
- <Possible follow-ups>
- Re: Will Snort understand something like this? Hin (Sep 28)