[Snort-users] Multiple HOME_NET IP's

Andy Beal abeal at ...316...
Fri Aug 11 13:04:41 EDT 2000


Greetings,

How about 2 Completely different HOME_NET subnets, such as   192.168.0.0/24 and 10.0.0.0/8, how would I get this done?   Will some sort of Boolean And work inside the variable, it seems that the rules will/should interpret correctly, but I could be wrong.   


Andy Beal, CNE, CCNA
Matrix Integration, LLC
812-634-1550

>>> "Vitaly McLain" <twistah at ...93...> 08/10/00 11:32PM >>>
Hi,

Regarding monitoring a class C. Let's say your Class C is 192.168.1.x, you can set your $HOME_NET as:

var HOME_NET 192.168.1.0/24 

(I hope I'm right on that one, I always screw up netmasks! :) That should take care of a class C. Notice that's it's /24 and not /32.

The preproccesor 'portscan' is a variable used to setup your portscan detection (I am assuming you understand the term portscan.) You may leave the default numbers there, just make sure to set the IP to $HOME_NET.

Vitaly McLain
twistah at ...93... 
[ note: this message was sent to both [snort-users] and the person who originally posted the message ].





More information about the Snort-users mailing list