[Snort-users] Snort IGNORES var HOME_NET

Matt Kettler mkettler at ...4108...
Wed May 8 11:24:24 EDT 2002


(originally sent to "Vadim Pushkin" <wiskbroom at ...125...>, but I messed 
up the CC to snort-users, hence the resend)

Could you show the exact line you used for var EXTERNAL_NET?

Did you accidentally forget the $ in the EXTERNAL_NET line?

You should have this:

var HOME_NET [192.168.1.0/24,10.10.0.0/16]

var EXTERNAL_NET !$HOME_NET


I suspect (educated guess only) that you have this:

var EXTERNAL_NET !HOME_NET

Which is not the same.

I did this on my setup and it works fine:

var HOME_NET [10.xx.0.0/16,192.168.xx.0/24,192.168.xx.0/24,192.168.xx.0/24]

var EXTERNAL_NET !$HOME_NET

Pardon the xx's, hiding some minor details about the inside of my network 
which really don't need to be hidden, but I'm using a little bit of paranoia.

At 02:15 PM 5/8/2002 +0000, Vadim Pushkin wrote:
>I've done this, and defined my HOME_NET to be
>the following:
>
>var HOME_NET [192.168.1.0/24,10.10.0.0/16]
>
>And I now get:
>
>May  8 10:06:21 hostname-1 snort: FATAL ERROR: ERROR 
>/snort/rules/bad-traffic.rules (11) => Couldn't resolve hostname HOME_NET





More information about the Snort-users mailing list