[Snort-users] (no subject)

Rino Mardo rmardo at ...1751...
Sun Apr 8 12:51:33 EDT 2001


What exactly does the "!" in !HOME_NET mean?  It's confusing to look at it
because it seems to tell "not xx.xx.xx.xx" where xx = to the internal
network.  Is that it?  Are we meant to supply the same ip address in
HOME_NET and !HOME_NET ?  For example, if my internal network is
192.168.2.0/24 then both variables should hold the same value?


----- Original Message -----
From: "Tom Sevy" <tsevy at ...1701...>
To: "'Phil'" <foo_bar_00 at ...131...>; <snort-users at lists.sourceforge.net>
Sent: Sunday, April 08, 2001 5:32 PM
Subject: RE: [Snort-users] (no subject)


> I set my HOME_NET, and after that, I set EXTERNAL_NET to !HOME_NET
>
> It "seems" to be working, perhaps someone can confirm this is a valid
> setting of the _NET vars.
>
>
> -----Original Message-----
> From: Phil [mailto:foo_bar_00 at ...131...]
> Sent: Saturday, April 07, 2001 10:28 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] (no subject)
>
>
> Hey all, I sent this question in a while back from a
> different address, but for some reason that address
> couldn't post to the list. So I'm resending it.
>
> Marty wrote:
> <snip>
> > that's providing NAT/forwarding for an internal
> > network?  If this is the case, you want to set the >
> INTERNAL var to your
> > *external* (internet facing) interface address, not
> > the address of your internal machines.  Your
> external > interface is the one that's going to
> > see the attacks.
> </snip>
>
> This confused me greatly. I'm running my snort on a
> gateway as well. I will se attacks on the external
> interface (internet facing). Wouldn't everyone. Also,
> I don't have INTERNAL and EXTERNAL variables, I have
> HOME_NET and EXTERNAL_NET variables. I set HOME_NET to
> my internal interface (the NAT'd one, and the one I
> want to protect) and EXTERNAL_NET to the external
> interface (i.e. the internet). Unforntunately I've
> seen virtually no logs whatsoever when I do see logs
> it's usually a http_decode log, but it's nothing more
> than web browsing from an internal machine out to an
> external machine at port 80.
>
> I can't quite figure out what I'm doing wrong. Any
> help would be much appreciated. Thanks.
>
> Phil
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list