[Snort-sigs] What's wrong with this rule?

Paul Schmehl pauls at ...1311...
Fri Aug 6 10:52:01 EDT 2004


--On Friday, August 06, 2004 01:20:58 PM -0400 sekure <sekure at ...2420...> 
wrote:

> Perhaps your $EXTERNAL_NET is not defined properly.
> If it's just defined as "any" then it'll include internal hosts in it
> and you'll capture traffice from ANY DNS server (except the GOOD_DNS)
> to any host.
> If it's defined as "!$HOME_NET" then make sure that $HOME_NET includes
> ALL of the internal hosts.
>
> Other than that, i think it looks good.
>
var HOME_NET [my ranges]
var EXTERNAL_NET !$HOME_NET

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list