[Snort-users] Snort.conf question $HOME_NET Question V1.8.6

Rose, Jerry L SAJ Contractor Jerry.L.Rose at ...3923...
Tue May 14 13:27:05 EDT 2002


Running on Linux (RedHat 7.2) - Snort 1.8.6
My home network (internal network addresses) runs as 
follows (not my real addresses)...
10.10.10.0/24
10.10.11.0/24
10.10.12.0/24
and so on and so forth for about 70 entries.

If I try this in snort.conf...
var Home_NET [10.10.10.0/24,10.10.11.0/24,10.10.12.0/24,the rest
through10.10.80.0/24]
then snort will not run.

I'm using this format below. Snort runs, but it seems that the 
variable HOME_NET isn't really what I think I am telling it to be.
var NET_01
[10.10.10.0/24,10.10.11.0/24,10.10.12.0/24...........10.10.30.0/24]
var NET_02
[10.10.31.0/24,10.10.32.0/24,10.10.33.0/24...........10.10.60.0/24]
var NET_03
[10.10.61.0/24,10.62.10.0/24,10.10.63.0/24...........10.10.80.0/24]

var HOME_NET $NET_01 $NET_02 $NET_03

var EXTERNAL_NET !$HOME_NET

Alerts like $EXTERNAL_NET any > $HOME_NET any are being logged even though
the packets are coming from internal addresses - what I intended to be 
included in $HOME_NET.

Any Ideas?

jerry.l.rose at ...5866...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020514/a9b93090/attachment.html>


More information about the Snort-users mailing list