[Snort-users] defining $HOME_NET
FKnobbe at ...649...
Thu Oct 19 19:12:55 EDT 2000
-----BEGIN PGP SIGNED MESSAGE-----
If the homenets are not adjacent, you can always use 3 separate rule
sets (that's how I'm running it). It's quite an overhead, though, so
an option to define IP ranges would be nice, as in:
var INTERNAL_NET 10.10.10.5:10.10.10.55
var INTERNAL_NET 10.10.10.0/24, 10.10.30.0/24
- -----Original Message-----
From: Erik Engberg [mailto:Erik.Engberg at ...511...]
Sent: Thursday, October 19, 2000 3:08 PM
To: 'Steve Halligan'; 'Joanne Treurniet';
Snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] defining $HOME_NET
or /12 or /14, or /15 etc
As long as the subnets are adjacent to each other you should have
little trouble.. the problems start when they aren´t...
On one installation I have snort sniffing on 5 class C nets that are
xxx.xxx.240.0 - xxx.xxx.245.0
But I have to use a /21 netmask to cover this in "one" net.
Of course this means that xxx.xxx.246.0/24 and xxx.xxx.247.0/24 are
considered my home_net as well but there´s no traffic whatsoever from
those nets I can take that problem, although it wouldn´t be fun if
they started messing with me or an attacker found that out. Damage
wouldn´t be to great but visibility is hampered and you have to take
that into consideration...
Best thing is that I have control and I can always deny those nets in
my border router or firewall. Problem solved (although not so
When are we getting support for multiple home_nets? Are we getting
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.
-----END PGP SIGNATURE-----
More information about the Snort-users