[Snort-users] Vision rules EXTERNAL/EXTERNAL_NET
root at ...2043...
Wed May 16 16:03:34 EDT 2001
Just trying the vision.rules for the first time and I had to add:
var INTERNAL $HOME_NET
var EXTERNAL $EXTERNAL_NET
after the original defs to keep all the rules working - is this normal?
I'm also getting:
May 16 14:51:01 pmwiwb snort: ERROR vision.rules (1) => Invalid CIDR
block for IP addr 1024:
alert TCP $EXTERNAL 1024: -> $INTERNAL 2589 (msg:
"IDS483/trojan-dagger_1.4.0_client_connect"; flags: A+;
content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16;)
Is that because I'm using the:
var HOME_NET $eth0_ADDRESS
format? The snort rules all worked fine - is there a standard story for
using one set over the other?
Andy Bach, Sys. Mgr
Internet: andy at ...2043... VOICE: (608) 264-5178 ex 5738, FAX 264-510
UNIX *is* user friendly. It is just a bit selective about her friends.
More information about the Snort-users