[Snort-users] Looking for dox on $EXTERNA, $INTERNAL, and $HOME_NET

Dragos Ruiu dr at ...381...
Mon Nov 6 13:41:35 EST 2000

You'll have some problems with this... unfortunately one of the limitations of
snort is that you can only put a single address in for variables and rules...
(portscan ignore-hosts is an exception to this) You'll have to change some
stuff and use multiple rules to achieve what you are trying to do there....
The good news for you however is that if you examine some of your host
definitions and the CIDR masks you'll see that some of your /24 definitions
overlap and are not needed.

Multiple addresses are on our todo list.... and I'm going to work on it if
no-one else does first.... but I have to finish some memory optimizations on
the new defragger for the 1.7 release.  But the good news is that I have
some downtime betweeen contracts this week and I'm planning on spending
the entire day today on Snort... yay.


On Mon, 06 Nov 2000, you wrote:
> If your interested, here is how I have re-done my config. It seems to be
> working well so far. CPU usages is way down also. Plenty of alerts.
> any comments?

[rules file ommitted to avoid publishing  IP addrs]

Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net

More information about the Snort-users mailing list