[Snort-users] HOME_NET and EXTERNAL_NET variables
erek at ...577...
Thu Nov 1 11:24:13 EST 2001
On Thu, 1 Nov 2001, Merrick, Gary wrote:
> Yes, this is a total newbie question, but I figured this is the right
> place to ask it.
No, it's not. We flog all newbies with streams of Electrons until they bow
down to the power of Snort.
> What is the purpose of the HOME_NET and EXTERNAL_NET variables that are
> defined in snort.conf? Does it change the formatting of the alerts? Or
> perhaps turn off the scanning of packets originating from an internal
> network? Or something else?
Answer D) A mixture. :)
> I would imagine this would be a fairly straightforward process to define
> them if one had an extremely simple network architecture. But my
> ultimate aim is to be able to monitor 3 or 4 networks. In such a case,
> what is considered "home" and what is "external"?
HOME_NET and EXTERNAL_NET are basically exactly what they say. Anything
inside a range that you wish to call 'home' should be defined as HOME_NET.
This defines your local net(s). Your 'area of watching' you could say.
EXTERNAL_NET is just the opposite. It's where you want to watch for things
coming from. If you go to the rules and look you'll see a lot of rules that
break down to something like "If a packet comes in from EXTERNAL_NET and is
going to HOME_NET and has these patterns/flags/content, then alert someone."
var HOME_NET 10.1.1.0/24 (Or whatever your range(s) are.)
var EXTERNAL_NET !$HOME_NET (Everything but HOME_NET)
Here's a FAQ link for what you want to do with the multi subnets:
> Any guidance would be much appreciated.
http://www.snort.org/docs/faq.html (Slightly older version)
http://www.theadamsfamily.net/~erek/snort/FAQ (Copy I yanked from CVS)
And of course: The Source Code! :)
Hope that helps!
More information about the Snort-users