[Snort-users] EXTERNAL_NET

Phil Wood cpw at ...440...
Sun Jun 23 21:02:04 EDT 2002


On Sun, Jun 23, 2002 at 03:36:22AM -0400, Ashley Thomas wrote:
> I was using 
>  var HOME_NET [A.B.0.0/16]
>  var EXTERNAL_NET any
> 
> Then i was also logging some alerts which had
> A.B.x.y - > A.B.z.w
> 
> So i changed to
> var EXTERNAL_NET !HOME_NET

I'm sorry! I gave you a bumb steer.   When you use a variable for a value
in a config statement like:

  var EXTERNAL_NET "variable"

it needs to look like

  var EXTERNAL_NET !$HOME_NET


> 
> But now i dont see any alerts !!
> 
> Although there were some scans which were detected by another IDS.
> 
> Is there some problem still with the above statement ?
> 
> thanks
> 
> 
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Phil Wood
> Sent: Sunday, June 23, 2002 2:11 AM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] EXTERNAL_NET
> 
> 
> On Sun, Jun 23, 2002 at 01:32:40AM -0400, Ashley Thomas wrote:
> > Is it correct to say 
> > var EXTERNAL_NET !A.B.0.0/8
> > 
> > if i need to consider every ip except A.B.0.0 range as external ?
> 
>   var HOME_NET [A.B.0.0/16]*
> 
>   var EXTERNAL_NET !HOME_NET 
> 
> The brackets allow for some more nets like:
> 
>   var HOME_NET [A.B.0.0/16,192.168.1.0/24]
> 
> > 
> > thanks 
> > ashley
> > 
> > 
> > -------------------------------------------------------
> > Sponsored by:
> > ThinkGeek at http://www.ThinkGeek.com/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -- 
> Phil Wood, cpw at ...440...
> 
> 
> 
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> -------------------------------------------------------
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list