[Snort-users] Home_net & external_net

Don Don at ...5881...
Fri Dec 6 11:02:04 EST 2002


well, the original email that started this, he had 3 subnets in the home_net variable, yet wanted to get alerts from only 1 of those subnets while still ignoring the other 2, so with the following
var HOME_NET [192.168.40.0/24,10.14.0.0/16,66.166.50.0/24] 
var TRUSTED_NET [192.168.40.0/24,66.166.50.0/24]
var EXTERNAL_NET !$TRUSTED_NET

would result in no alerts at all for the 2 subnets in trusted_net yet allow alerts for that '3rd' subnet in home_net
if trusted_net and home_net were to contain exactly all of the same subnets it would be redundant. trusted_net allows for you to modify the one line by adding or removing subnets as you wish and leaving the rules as is, it has made things alot easier for me. you dont have to put subnets in the trusted_net you can use single IP's as well, and for instance, ignore yourself for a day, or for testing, then remove the IP when you dont want it ignored any longer.
if you always use external net for alerts it probably would make no diff at all, but i've done this to narrow down false positives on numerous alerts, lets say i dont want icmp alerts from 192.168.40.0 but i want all other alerts, so i put 192.168.40.0 in trusted_net and in the alert rule i change external_net to !$trusted_net and i'm ok, however leaving it as external_net i would get alerts form it that i dont want, doing this keeps all other alerts in place. especially when external net isn't always everything that you have in external_net, sometimes I want alerts from IP 1, and not IP 2, and vice-versa

Don


> > 
> >However, I don't understand why setting up:
> >var TRUSTED_NET [192.168.40.0/24,10.14.0.0/16]
> >var EXTERNAL_NET !$TRUSTED_NET
> >
> >Is any different than:
> >var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]





More information about the Snort-users mailing list