[Snort-users] Home_net & external_net

Erek Adams erek at ...577...
Fri Dec 6 07:26:05 EST 2002

On Fri, 6 Dec 2002, Jeremy Finke wrote:

> Except that I want to view as both an attacking and
> protected network.

Ok, well that's not clear from your original info.

[I'm short on cofee today, so all brain cells may not be firing...]

What you're doing now:

> var HOME_NET [,,]
> var EXTERNAL_NET [any,!,!]

Wouldn't work the way you want.  If it does work and is valid (I'm too
lazy to dig into the source right now) it is the same as setting EXTERNAL
to !$HOME_NET.

You might want to consider running another instance of snort that is setup
to just watch the net.  Setup one as external as !$HOME on
one, then use 'any' on the second.

Granted it's not optimal, bit it would work.


Erek Adams

More information about the Snort-users mailing list