Setting the Home and External Net variables

[Dheeraj Gupta <dheeraj.gupta4 () gmail com>]

Hi,
I have a snort sensor that monitors one of my networks. The said network is
actually a collection of a few 10.x.y.0/24 networks which can grow further
in future. So I thought 10.0.0.0/8 is a good enough approximation for my
home_net. However, keeping the firewall 10.12.100.100 in HOME_NET wouldn't
make much sense (Since the sensor actually listens between the firewall and
10 network core switch). SO I configured this
HOME_NET [10.0.0.0/8,!10.12.100.100]

Now for the external_net, I can either
1) Set EXTERNAL_NET any - This helps me in monitoring rougue internal nodes
2) Set external_NET to some specific values

Since I mirror a top level switch, there is not point in using 'any' as not
all the intra-network traffic will be seen (And it leads to a lot of false
positives)
But setting EXTERNAL_NET !$HOME_NET gives me an error.
ERROR: /etc/snort/snort.conf(48) Negated IP ranges that are more general
than non-negated ranges are not allowed. Consider inverting the logic in
EXTERNAL_NET
 How can I accurately set my HOME_NET and EXTERNAL_NET?

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!