[Snort-users] EXTERNAL_NET

Ashley Thomas athomas at ...5484...
Sun Jun 23 00:37:02 EDT 2002


I was using 
 var HOME_NET [A.B.0.0/16]
 var EXTERNAL_NET any

Then i was also logging some alerts which had
A.B.x.y - > A.B.z.w

So i changed to
var EXTERNAL_NET !HOME_NET

But now i dont see any alerts !!

Although there were some scans which were detected by another IDS.

Is there some problem still with the above statement ?

thanks


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Phil Wood
Sent: Sunday, June 23, 2002 2:11 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] EXTERNAL_NET


On Sun, Jun 23, 2002 at 01:32:40AM -0400, Ashley Thomas wrote:
> Is it correct to say 
> var EXTERNAL_NET !A.B.0.0/8
> 
> if i need to consider every ip except A.B.0.0 range as external ?

  var HOME_NET [A.B.0.0/16]*

  var EXTERNAL_NET !HOME_NET 

The brackets allow for some more nets like:

  var HOME_NET [A.B.0.0/16,192.168.1.0/24]

> 
> thanks 
> ashley
> 
> 
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...



-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list