[Snort-users] exclude home_net from external_net

pilsl at ...7275... pilsl at ...7275...
Thu Oct 24 06:09:15 EDT 2002

I'm quite new to snort.  I set the home_net to my internal-net and
external_net to any

Now I got myriads of alerts when internal clients connect to our squid
server. Of course this is not what I want (alerts are only userful on
external connects), so I took a close look at the corresponding rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy
attempt"; flags:S; classtype:attempted-recon; sid:618;
rev:2;)sid-msg.map:618 || SCAN Squid Proxy attempt

In that sense of course any connect from HOME_NET to HOME_NET will
raise an alert, cause home_net is a real subnet of EXTERNAL_NET.

So I think it would be wide to define EXTERNAL_NET as "ANY but not

Is there any reason why I dont want to do this ?  If not: how could I
do this ? In the docs I found only way to specify include-changes but
no ways to specify exclude-ranges.

Of course I could remove the whole rule on the sensor for the internal
interface, but I'd like to keep both rulesets consistent for easier


mag. peter pilsl
tel: +43-699-1-3574035
fax: +43-699-4-3574035
pilsl at ...7275...

More information about the Snort-users mailing list