[Snort-users] Home_net & external_net

Erek Adams erek at ...577...
Fri Dec 6 07:26:05 EST 2002


On Fri, 6 Dec 2002, Jeremy Finke wrote:

> Except that I want to view 192.168.41.0 as both an attacking and
> protected network.

Ok, well that's not clear from your original info.

[I'm short on cofee today, so all brain cells may not be firing...]

What you're doing now:

> var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
> var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]

Wouldn't work the way you want.  If it does work and is valid (I'm too
lazy to dig into the source right now) it is the same as setting EXTERNAL
to !$HOME_NET.

You might want to consider running another instance of snort that is setup
to just watch the 192.168.41.0 net.  Setup one as external as !$HOME on
one, then use 'any' on the second.

Granted it's not optimal, bit it would work.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




More information about the Snort-users mailing list