[Snort-users] Home_net & external_net

Don Don at ...5881...
Thu Dec 5 17:26:18 EST 2002


Home_net & external_neti'm not sure if you can have the ANY there inside
that parenths, mayb try a trusted_net variable, since your excluding one
segment of your home_net
do
var TRUSTED_NET [192.168.40.0/24,!10.14.0.0/16]
var EXTERNAL_NET  !$TRUSTED_NET

don

  -----Original Message-----
  From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jeremy Finke
  Sent: Thursday, December 05, 2002 4:20 PM
  To: snort-users at lists.sourceforge.net
  Subject: [Snort-users] Home_net & external_net


  I have something that is driving me crazy.

  I have alerts going off from within two different segments of my HOME_NET.
I don't understand why I am seeing these.  Here are the 2 lines from my
snort.conf:

  var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
  var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]

  I have an alert from 10.14.1.50 going to 192.168.40.65 that is SNMP
request udp.  Why is that showing up?  Since they are both HOME_NET
networks, shouldn't snort not log this type of activity?

  I also have other examples:
   #7-(2-1418) [arachnids][snort] ICMP L3retriever Ping 2002-12-05 18:13:15
10.14.1.50 192.168.40.67 ICMP
   #9-(2-1426) [cve][icat][arachnids][snort] TELNET access 2002-12-05
18:15:41 192.168.40.53:23 10.14.14.182:1925
  Thanks!



  Jeremy T. Finke
  Systems Engineer
  Meridian IQ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021205/ac8d363a/attachment.html>


More information about the Snort-users mailing list