[Snort-users] Using Variables other than $HOME_NET and $EXTERNAL_NET?

Robinson, Eric R. erobinson at ...5206...
Fri Mar 22 15:17:01 EST 2002


Our State agency is part of a the larger State of Nevada network (we are a
subnet on their 10.x network). 

We want to monitor:

	1.	Intrusion attempts into our network from any outside source,
including the rest of the state.
	2.	Intrusion attempts from our network to any other part of the
state network.

But we do NOT want to monitor intrusion attempts from our network to
anywhere else, including the public Internet.

This means that we really need three tests against every packet, not just
two (i.e, not just $HOME_NET and $EXTERNAL_NET).

Can we create a third variable, $STATE_NET, for this purpose? Would this
effect performance very much? Does the order of appearance on snort.conf
matter?

--Eric








More information about the Snort-users mailing list