[Snort-users] rules difficulty

Greg Sarsons gsarsons at ...530...
Sun Oct 28 07:39:02 EST 2001


tks ... 

but is this only going to give me the traffic to and from network and
not the local to local traffic.

Wow does this ever take a long time to dump into mysql.

Greg

On Sun, 2001-10-28 at 10:30, Martin Roesch wrote:
> You can simplify this greatly.
> 
> var $HOME_NET x.117.88.0/24
> 
> log ip any any <> $HOME_NET any
> 
> That's all you need.
> 
>     -Marty
> 
> Greg Sarsons wrote:
> > 
> > I'm having trouble getting my rule to do what I want.  It is simple all
> > I want is to log everything from this range ie see what traffic is
> > coming and going from the network.
> > 
> > the range is x.117.88.0 to x.117.95.255
> > 
> > log tcp $EXTERNAL_NET any <> $HOME_NET any ..
> > log upd $EXTERNAL_NET any <> $HOME_NET any ..
> > log icmp $EXTERNAL_NET any <> $HOME_NET any ..
> > log ip  $EXTERNAL_NET any <> $HOME_NET any ..
> > 
> > I guess my confusion is over getting the correct HOME_NET and
> > EXTERNAL_NET variables.
> > 
> > Greg
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch at ...1935... - http://www.sourcefire.com  
> Snort: Open Source Network IDS - http://www.snort.org






More information about the Snort-users mailing list