[Snort-users] Vision rules EXTERNAL/EXTERNAL_NET
cpw at ...440...
Wed May 16 17:08:04 EDT 2001
On Wed, May 16, 2001 at 03:03:34PM -0500, Andy Bach wrote:
> Hi Folks,
> Just trying the vision.rules for the first time and I had to add:
> var INTERNAL $HOME_NET
> var EXTERNAL $EXTERNAL_NET
> after the original defs to keep all the rules working - is this normal?
> I'm also getting:
> May 16 14:51:01 pmwiwb snort: ERROR vision.rules (1) => Invalid CIDR
> block for IP addr 1024:
This is the result of $EXTERNAL being eq "" (nothing), so the port 1024
gets treated as an IP thingamabob.
Take a close look at your configuration file and make sure that you have
defined the various $variables like:
var INTERNAL [192.168.0.0/24]
var EXTERNAL !$INTERNAL
There could be other variables defined in your rules such as SMTP or
It's an iterative process, until you find all the things that need to
> (rule 1):
> alert TCP $EXTERNAL 1024: -> $INTERNAL 2589 (msg:
> "IDS483/trojan-dagger_1.4.0_client_connect"; flags: A+;
> content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16;)
> Is that because I'm using the:
> var HOME_NET $eth0_ADDRESS
> format? The snort rules all worked fine - is there a standard story for
> using one set over the other?
> Andy Bach, Sys. Mgr
> Internet: andy at ...2043... VOICE: (608) 264-5178 ex 5738, FAX 264-510
> UNIX *is* user friendly. It is just a bit selective about her friends.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Phil Wood, cpw at ...440...
More information about the Snort-users