[Snort-users] rules.base question

amp amp at
Wed Sep 20 23:47:44 EDT 2000


I've been beating my head against a wall all evening trying to figure out
=exactly= what 2 parameters are in the rules.base file.

They are:
var EXTERNAL 63.87.101.0/24
and 
var INTERNAL 192.168.1.0/24

I realize I have to put in my own address information into one or both of these
lines, but I've been scouring the docs both that come with the software, and 
that I've found on the Snort website.

I'm running a Linux box sitting on a cable modem. I have a static IP address.
I basically want to run snort so I can determine what kind of hacks are being
tried against my box, and hopefully avert them.

However, I haven't been able to find much of =anything= at all about the two
aforementioned parameters.

I would assume that I want something like my IP address as the "internal"
variable, with a /24 to catch the subnet. i.e.,
	var INTERNAL 24.7.237.0/24 
I'm not quite sure why I need to include the /24 though, as I'm really only
interested in traffic coming to my address.

I have no idea what should go in the 'external' variable though, and I've looked
pretty hard for it. Am I being dense, or just missing something obvious?

Thanks,

alan

-- 
amp at ...492...
http://www.zeugma.nu/

Never be afraid to try something new. 
Remember, amateurs built the ark. 
Professionals built the Titanic.



More information about the Snort-users mailing list