[Snort-users] SNORT $INTERNAL $EXTERNAL and $NHOMENET variables

Max Vision vision at ...5...
Sat Oct 14 23:33:51 EDT 2000

On Sat, Oct 14, 2000 at 05:08:55PM -0500, Erick Arturo Perez Huemer wrote:
> My internal net is 10.x.x.0 and the external interface (internet) is
> 208.x.x.x.
> In the vision.rules I use $INTERNAL (10.x.x.0) and $EXTERNAL (208.x.x.x) for
> that ruleset.
> In the lastes snort ruleset 10102k.rules there is a variable called
> $HOME_NET which i defined as the 208.x.x.x. network.
> According with the vision ruleset will my snort process traffic going from
> the external interface IP to the internal (10.x) only? What about the
> address of the internet itself? How do I define the variables to allow snort
> match the internet traffic against my 208.x.x.x IP ?

What Snort sees will depend on how you have your network configured.  Try
sniffing on the external interface and note whether you see 10.x
traffic.  If so, then you should consider reconfiguring your firewall so
that you have two separate nic cards, and isolate the external interface
so it can only see internet traffic, and it's corresponding internal
interface (the other nic card in the same machine).

In any case, you should set the $INTERNAL variable to be the IP range
that hosts on the public internet will talk to, in your case it will be
the IP of your "external interface".  $EXTERNAL will be everything else
and will only be confused by the 10.x addresses if the external interface
is sharing a nic with the internal interface.

So if you have a NAT/proxy/firewall box that has two network cards, one
is and another is a public address 208.x.x.x, then set
$INTERNAL = 208.x.x.x/24 and $EXTERNAL = !$INTERNAL.  (replace with
whatever your ip and netmask are, these are just illustartion)

If you are sharing a nic card for your NAT/proxy/firewall machine and the
external interface can see the 10.x traffic, then add a "pass" rule to
the start of your snort rules like:
 pass tcp any <> any any
 pass udp any <> any any
 pass icmp any <> any any

What is more appropriate is to just buy another nic card and separate the
interfaces physically. (not that this is your situation, just speaking in


More information about the Snort-users mailing list