[Snort-sigs] Holy false Positives

Shaun T. Erickson ste at ...2549...
Wed Jun 16 08:23:02 EDT 2004


Matthew Watchinski wrote:

> Make sure you set your $HOME_NET and $EXTERNAL_NET variables correctly. 
> Setting these to the correct subnets will most likely eliminate your 
> SCAN UPnP service discover attempt alerts.
> 
> $HOME_NET = all the networks your protect
> $EXTERNAL_NET = !$HOME_NET

I have three sensors, each on their own subnet. Each of them should have 
their $HOME_NET set to the network they are sniffing, and just that, 
correct?

As for each system's $EXTERNAL_NET, they were set to "any", as suggested 
in the snort.conf file. I've just changed them to be like you stated above.

Do I have it right, now?

	-ste




More information about the Snort-sigs mailing list