[Snort-users] external_net vs !home_net

charella constansia sharella at ...131...
Fri Sep 27 12:39:05 EDT 2002


hai,

I've been dealing with this for a while. I want to
know if I'm doing something wrong or if it's a bug in
Snort.

I'm running snort sensor(1.8.7) on RedHat7.3. 

My snort.conf:
$HOME_NET [xx,xx,xx,xx/24,yy,yy,yy,yy/24,and a few
more]
$EXTERNAL_NET !$HOME_NET.

If I write a alert:
alert tcp $HOME_NET any -> $EXTERNAL_NET any
(msg:"bla";)
This rule will also catch traffic from my internal net
to my internal net, and I will get too much false
positives.
But if i write it like below:
alert tcp $HOME_NET any -> !$HOME_NET any (msg:"bla";)
it won't catch it.

Is this a bug in snort if you have multiple subnets in
your HOME_NET.

Please help me, 

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com




More information about the Snort-users mailing list