[Snort-users] snort.conf & commandline.

Erek Adams erek at ...577...
Mon Jul 8 08:44:03 EDT 2002


On Mon, 8 Jul 2002, Rich Adamson wrote:

> My guess based on your comments is you probably want an equal sign
> in the var External_Net definition. Something like:
>   var EXTERNAL_NET = $HOME_NET,  or,
>   var EXTERNAL_NET != $HOME_NET
>
> If I've understood what you're trying to accomplish, the Home_Net should
> describe the IP addresses that you are trying to protect (or observe),
> and the External_Net is everything else (eg, !=).

First off, to answer Sander's earlier question:

	When -S is used, it does "overrride" or replace the variable before
the interpretation of the file.  So using -S on the command line would simply
set HOME_NET to whatever and then EXTERNAL_NET to the same.

Next:

	The two most common settings for EXTERNAL_NET are:

		var EXTERNAL_NET any
		var EXTERNAL_NET !$HOME_NET

	I use the second due to sensor placement.  If you're building
packages, then I would suggest to use that.  That implies "The internet minus
$HOME_NET" which is what I think you want.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list