[Snort-users] Home_net & external_net
Jeremy.Finke at ...7343...
Fri Dec 6 08:11:03 EST 2002
Hmm... that is an interesting idea... I tried to do what Robby Desmond suggested which was:
var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]
But, it still seems to have the same problem... I might be missing something... My network is a little complicated how some of these things talk to each other... :D
From: Erek Adams [mailto:erek at ...577...]
Sent: Fri 12/6/2002 9:21 AM
To: Jeremy Finke
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Home_net & external_net
On Fri, 6 Dec 2002, Jeremy Finke wrote:
> Except that I want to view 192.168.41.0 as both an attacking and
> protected network.
Ok, well that's not clear from your original info.
[I'm short on cofee today, so all brain cells may not be firing...]
What you're doing now:
> var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
> var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]
Wouldn't work the way you want. If it does work and is valid (I'm too
lazy to dig into the source right now) it is the same as setting EXTERNAL
You might want to consider running another instance of snort that is setup
to just watch the 192.168.41.0 net. Setup one as external as !$HOME on
one, then use 'any' on the second.
Granted it's not optimal, bit it would work.
More information about the Snort-users