[Snort-users] Home_net & external_net
erek at ...577...
Fri Dec 6 07:26:05 EST 2002
On Fri, 6 Dec 2002, Jeremy Finke wrote:
> Except that I want to view 192.168.41.0 as both an attacking and
> protected network.
Ok, well that's not clear from your original info.
[I'm short on cofee today, so all brain cells may not be firing...]
What you're doing now:
> var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
> var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]
Wouldn't work the way you want. If it does work and is valid (I'm too
lazy to dig into the source right now) it is the same as setting EXTERNAL
You might want to consider running another instance of snort that is setup
to just watch the 192.168.41.0 net. Setup one as external as !$HOME on
one, then use 'any' on the second.
Granted it's not optimal, bit it would work.
More information about the Snort-users