[Snort-users] HOME_NET and EXTERNAL_NET variables

Erek Adams erek at ...577...
Thu Nov 1 11:24:13 EST 2001

On Thu, 1 Nov 2001, Merrick, Gary wrote:

> Yes, this is a total newbie question, but I figured this is the right
> place to ask it.

No, it's not.  We flog all newbies with streams of Electrons until they bow
down to the power of Snort.


> What is the purpose of the HOME_NET and EXTERNAL_NET variables that are
> defined in snort.conf?  Does it change the formatting of the alerts?  Or
> perhaps turn off the scanning of packets originating from an internal
> network?  Or something else?

Answer D)  A mixture.  :)

> I would imagine this would be a fairly straightforward process to define
> them if one had an extremely simple network architecture.  But my
> ultimate aim is to be able to monitor 3 or 4 networks.  In such a case,
> what is considered "home" and what is "external"?

HOME_NET and EXTERNAL_NET are basically exactly what they say.  Anything
inside a range that you wish to call 'home' should be defined as HOME_NET.
This defines your local net(s).  Your 'area of watching' you could say.

EXTERNAL_NET is just the opposite.  It's where you want to watch for things
coming from.  If you go to the rules and look you'll see a lot of rules that
break down to something like "If a packet comes in from EXTERNAL_NET and is
going to HOME_NET and has these patterns/flags/content, then alert someone."

My suggestion:

  var HOME_NET    (Or whatever your range(s) are.)
  var EXTERNAL_NET !$HOME_NET   (Everything but HOME_NET)

Here's a FAQ link for what you want to do with the multi subnets:


> Any guidance would be much appreciated.

http://www.snort.org/docs/faq.html		(Slightly older version)
http://www.theadamsfamily.net/~erek/snort/FAQ   (Copy I yanked from CVS)

And of course:  The Source Code!  :)

Hope that helps!

Erek Adams

More information about the Snort-users mailing list