[Snort-users] (no subject)

Tom Sevy tsevy at ...1701...
Sun Apr 8 09:32:50 EDT 2001

I set my HOME_NET, and after that, I set EXTERNAL_NET to !HOME_NET

It "seems" to be working, perhaps someone can confirm this is a valid
setting of the _NET vars.

-----Original Message-----
From: Phil [mailto:foo_bar_00 at ...131...]
Sent: Saturday, April 07, 2001 10:28 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] (no subject)

Hey all, I sent this question in a while back from a
different address, but for some reason that address
couldn't post to the list. So I'm resending it.

Marty wrote:
> that's providing NAT/forwarding for an internal
> network?  If this is the case, you want to set the >
INTERNAL var to your
> *external* (internet facing) interface address, not 
> the address of your internal machines.  Your
external > interface is the one that's going to
> see the attacks.

This confused me greatly. I'm running my snort on a
gateway as well. I will se attacks on the external
interface (internet facing). Wouldn't everyone. Also,
I don't have INTERNAL and EXTERNAL variables, I have
HOME_NET and EXTERNAL_NET variables. I set HOME_NET to
my internal interface (the NAT'd one, and the one I
want to protect) and EXTERNAL_NET to the external
interface (i.e. the internet). Unforntunately I've
seen virtually no logs whatsoever when I do see logs
it's usually a http_decode log, but it's nothing more
than web browsing from an internal machine out to an
external machine at port 80.

I can't quite figure out what I'm doing wrong. Any
help would be much appreciated. Thanks.


Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list