Using Ranges in $HOME_NET and $EXTERNAL_NET

["John Duksta" <jduksta () gmail com>]

We're making an effort in our HOME_NET definitions to exclude internal
addresses of proxy servers so internal sensors will treat them as external
hosts and we'll catch more browser based exploits.

There are a couple of ways to skin this cat, but the one that seems to work
best is to do something that's not explicitly supported, i.e. using a range
specifier in the HOME_NET. It seems to work and the snort.conf parser
doesn't complain. However, I'd like to get the thoughts of the community as
to the long term feasibility of this strategy.

Example:

Original Settings:
var HOME_NET [192.168.30.0/24]

I want to exclude 192.168.30.10 and .11 because they're proxy servers
var HOME_NET [192.168.30.0:192.168.30.9,192.168.30.12:192.168.30.255]

Thoughts?
-j


-- 
John Duksta <jduksta () gmail com>
Can't sleep, clowns will eat me.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users