[Snort-users] home_net and ext_net question
neil at ...1633...
Fri Apr 25 11:08:14 EDT 2003
Matt Kettler <mkettler at ...4108...> wrote:
>It will do funny things if you try to do HOME_NET as a comma-delimited list
>and forget to put ['s around it. Otherwise it should be fine.
If HOME_NET is defined thus ...
var HOME_NET any
... and EXTERNAL_NET as follows ...
var EXTERNAL_NET !$HOME_NET
... then will a rule written like this ...
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Whatever";)
... ever match? Alternatively, if EXTERNAL_NET is set this way ...
var EXTERNAL_NET $HOME_NET
... would such a rule match on everything that comes past? Recent
posts on the list have shown these variables set the latter way, and
I'm not sure why anyone would do that.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users