Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Regarding snort.conf HOME_NET and EXTERNAL_NET

From: Brandon Phelps <bphelps () gls com>
Date: Thu, 10 Nov 2011 16:39:16 -0500
Hello,

The default snort.conf indicates that you should leave EXTERNAL_NET as 
"any" in most situations.

I already have HOME_NET set to [10.0.0.0/8] (my internal network) so 
would it be prudent to set EXTERNAL_NET to !$HOME_NET instead, or should 
I leave it as any?  I would like to cut down on false positives and such 
as much as possible without the risk of losing any truly malicious alerts.

I have seen other configuration examples that have EXTERNAL_NET set to 
negate HOME_NET, so I'm not sure which is best.

Thanks,
Brandon

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: