[Snort-users] What am I missing?

Max Vision vision at ...4...
Sat May 5 21:03:07 EDT 2001


On Sun, 6 May 2001, Ed Greshko wrote:
> Here is my setup....
> 3 machines on the same subnet.
...
> Snort configuration:
>   var HOME_NET [10.220.17.0/24,!10.220.17.96/32]
>   var EXTERNAL_NET !$HOME_NET
>

The machines are on the same subnet, yet you are defining EXTERNAL_NET as
"everything that is not in the internal subnet"... so any rule that
watches for external->internal will skip right over your traffic.

Try setting EXTERNAL_NET to "any" if you want to do local testing like
this...

Max





More information about the Snort-users mailing list