[Snort-users] What am I missing?

Ed Greshko Edward.M.Greshko at ...1974...
Sun May 6 00:56:22 EDT 2001


Max,

> > Snort configuration:
> >   var HOME_NET [10.220.17.0/24,!10.220.17.96/32]
> >   var EXTERNAL_NET !$HOME_NET
> >
>
> The machines are on the same subnet, yet you are defining EXTERNAL_NET as
> "everything that is not in the internal subnet"... so any rule that
> watches for external->internal will skip right over your traffic.

I would have thought that the !10.220.17.96/32 would make that host (even
though it is on the same subnet) not part of HOME_NET.

Then, since EXTERNAL_NET is everything not on HOME_NET I thought a !! would
make .96 part of the EXTERNAL_NET.

> Try setting EXTERNAL_NET to "any" if you want to do local testing like
> this...

OK....I'll give that a try....

Thanks,
Ed

P.S.  No switch.





More information about the Snort-users mailing list