[Snort-users] HOME_NET and EXTERNAL_NET question
jsage at ...2022...
Sat Feb 9 07:59:04 EST 2002
I would say that you want to set your $HOME_NET and $EXTERNAL_NET
correctly for your network topology, and accomplish what you're
*really* trying to do with rules, maybe in local.rules.
There, establish rules that look at traffic outbound, thus:
alert tcp $HOME_NET -> $EXTERNAL_NET 10101 (msg:"SCAN myscan"; \
ttl: >220; ack: 0; flags: S;reference:arachnids,439; \
classtype:attempted-recon; sid:613; rev:1;)
Note that this is only an example, but that the source and
destinations are flipped from the original rule in scan.rules.
Most people don't type their own logfiles; but, what do I care?
On Fri, Feb 08, 2002 at 03:45:10PM -0800, Kresna Prawira wrote:
> If I want to monitor traffic originated both from inside network and
> external network, what is the best way to do that? The reason for this is
> to monitor if any of my internal users try to hack somebody outside.
> right now I put "any" on HOME_NET and EXTERNAL_NET
More information about the Snort-users