[Snort-users] Vision rules EXTERNAL/EXTERNAL_NET

Andy Bach root at ...2043...
Wed May 16 16:03:34 EDT 2001


Hi Folks,

Just trying the vision.rules for the first time and I had to add:
var INTERNAL $HOME_NET
var EXTERNAL $EXTERNAL_NET
after the original defs to keep all the rules working - is this normal?

I'm also getting:
May 16 14:51:01 pmwiwb snort: ERROR vision.rules (1) => Invalid CIDR 
block for IP addr 1024:
(rule 1):
alert TCP $EXTERNAL 1024: -> $INTERNAL 2589 (msg: 
  "IDS483/trojan-dagger_1.4.0_client_connect"; flags: A+; 
  content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16;)

Is that because I'm using the:
var HOME_NET $eth0_ADDRESS

format?  The snort rules all worked fine - is there a standard story for 
using one set over the other?

Thanks.

a

Andy Bach, Sys. Mgr
Internet: andy at ...2043...    VOICE: (608) 264-5178 ex 5738, FAX 264-510

   UNIX *is* user friendly. It is just a bit selective about her friends.





More information about the Snort-users mailing list