[Snort-users] snort.conf & commandline.
erek at ...577...
Mon Jul 8 08:44:03 EDT 2002
On Mon, 8 Jul 2002, Rich Adamson wrote:
> My guess based on your comments is you probably want an equal sign
> in the var External_Net definition. Something like:
> var EXTERNAL_NET = $HOME_NET, or,
> var EXTERNAL_NET != $HOME_NET
> If I've understood what you're trying to accomplish, the Home_Net should
> describe the IP addresses that you are trying to protect (or observe),
> and the External_Net is everything else (eg, !=).
First off, to answer Sander's earlier question:
When -S is used, it does "overrride" or replace the variable before
the interpretation of the file. So using -S on the command line would simply
set HOME_NET to whatever and then EXTERNAL_NET to the same.
The two most common settings for EXTERNAL_NET are:
var EXTERNAL_NET any
var EXTERNAL_NET !$HOME_NET
I use the second due to sensor placement. If you're building
packages, then I would suggest to use that. That implies "The internet minus
$HOME_NET" which is what I think you want.
Hope that helps!
More information about the Snort-users