[Snort-users] snort.conf & commandline.

Erek Adams erek at ...577...
Mon Jul 8 08:44:03 EDT 2002

On Mon, 8 Jul 2002, Rich Adamson wrote:

> My guess based on your comments is you probably want an equal sign
> in the var External_Net definition. Something like:
>   var EXTERNAL_NET = $HOME_NET,  or,
> If I've understood what you're trying to accomplish, the Home_Net should
> describe the IP addresses that you are trying to protect (or observe),
> and the External_Net is everything else (eg, !=).

First off, to answer Sander's earlier question:

	When -S is used, it does "overrride" or replace the variable before
the interpretation of the file.  So using -S on the command line would simply
set HOME_NET to whatever and then EXTERNAL_NET to the same.


	The two most common settings for EXTERNAL_NET are:

		var EXTERNAL_NET any

	I use the second due to sensor placement.  If you're building
packages, then I would suggest to use that.  That implies "The internet minus
$HOME_NET" which is what I think you want.

Hope that helps!

Erek Adams

