[Snort-users] home_net and ext_net question
mkettler at ...4108...
Thu Apr 24 15:38:10 EDT 2003
At 02:38 PM 4/24/2003 -0700, Everist, Benjamin S. (NASWI) wrote:
> >Having HOME_NET encapsulate two or more networks can do funny things to the
> >Snort rules when one simply negates EXTERNAL_NET (i.e., var EXTERNAL_NET
> >!$HOME_NET, or some variant).
>What kinds of funny things?
It will do funny things if you try to do HOME_NET as a comma-delimited list
and forget to put ['s around it. Otherwise it should be fine.
![10.0.0.0/8,192.168.1.0/24] is different than ! 10.0.0.0/8,192.168.1.0/24
I suspect this is where the "funny things" experience comes in, from
someone errantly declaring:
var HOME_NET 10.0.0.0/8,192.168.1.0/24
var EXTERNAL_NET !$HOME_NET
More information about the Snort-users