[Snort-users] rules difficulty

Chris Green cmg at ...671...
Sun Oct 28 08:12:02 EST 2001


Greg Sarsons <gsarsons at ...530...> writes:

> I'm having trouble getting my rule to do what I want.  It is simple all
> I want is to log everything from this range ie see what traffic is
> coming and going from the network.
>
> the range is x.117.88.0 to x.117.95.255
>
> I guess my confusion is over getting the correct HOME_NET and
> EXTERNAL_NET variables.

Try

var $HOME_NET 192.117.88.0/20
var $EXTERNAL_NET !$HOME_NET


If your goal is to do all traffic, I'd just use something like tcpdump
and then use snort to investigate afterwards.
-- 
Chris Green <cmg at ...671...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-users mailing list