[Snort-users] Home_net & external_net

Jeremy Finke Jeremy.Finke at ...7343...
Fri Dec 6 08:11:03 EST 2002


Hmm... that is an interesting idea...  I tried to do what Robby Desmond suggested which was:
var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16] 
var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]

But, it still seems to have the same problem...  I might be missing something...  My network is a little complicated how some of these things talk to each other...  :D

	-----Original Message----- 
	From: Erek Adams [mailto:erek at ...577...] 
	Sent: Fri 12/6/2002 9:21 AM 
	To: Jeremy Finke 
	Cc: snort-users at lists.sourceforge.net 
	Subject: RE: [Snort-users] Home_net & external_net
	
	

	On Fri, 6 Dec 2002, Jeremy Finke wrote:
	
	> Except that I want to view 192.168.41.0 as both an attacking and
	> protected network.
	
	Ok, well that's not clear from your original info.
	
	[I'm short on cofee today, so all brain cells may not be firing...]
	
	What you're doing now:
	
	> var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
	> var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]
	
	Wouldn't work the way you want.  If it does work and is valid (I'm too
	lazy to dig into the source right now) it is the same as setting EXTERNAL
	to !$HOME_NET.
	
	You might want to consider running another instance of snort that is setup
	to just watch the 192.168.41.0 net.  Setup one as external as !$HOME on
	one, then use 'any' on the second.
	
	Granted it's not optimal, bit it would work.
	
	Cheers!
	
	-----
	Erek Adams
	Nifty-Type-Guy
	TheAdamsFamily.Net
	



More information about the Snort-users mailing list