[Snort-users] HOME_NET and EXTERNAL_NET question

John Sage jsage at ...2022...
Sat Feb 9 07:59:04 EST 2002


I would say that you want to set your $HOME_NET and $EXTERNAL_NET
correctly for your network topology, and accomplish what you're
*really* trying to do with rules, maybe in local.rules.

There, establish rules that look at traffic outbound, thus:

alert tcp $HOME_NET -> $EXTERNAL_NET 10101 (msg:"SCAN myscan"; \
 ttl: >220; ack: 0; flags: S;reference:arachnids,439; \
 classtype:attempted-recon; sid:613; rev:1;)

Note that this is only an example, but that the source and
destinations are flipped from the original rule in scan.rules.


- John

Most people don't type their own logfiles;  but, what do I care?

On Fri, Feb 08, 2002 at 03:45:10PM -0800, Kresna Prawira wrote:
> If I want to monitor traffic originated both from inside network and
> external network, what  is the best way to do that?  The reason for this is
> to monitor if any of my internal users try to hack somebody outside. 
> right now I put "any" on HOME_NET and EXTERNAL_NET
> thanks.

More information about the Snort-users mailing list