[Snort-users] home_net and ext_net question

Matt Kettler mkettler at ...4108...
Fri Apr 25 12:27:03 EDT 2003


At 01:07 PM 4/25/2003 -0500, Neil Dickey wrote:
>If HOME_NET is defined thus ...
>
>       var HOME_NET any
>
>... and EXTERNAL_NET as follows ...
>
>       var EXTERNAL_NET !$HOME_NET
>
>... then will a rule written like this ...
>
>       alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Whatever";)
>
>... ever match?  Alternatively, if EXTERNAL_NET is set this way ...
>
>       var EXTERNAL_NET $HOME_NET
>
>... would such a rule match on everything that comes past?  Recent
>posts on the list have shown these variables set the latter way, and
>I'm not sure why anyone would do that.

You are correct, it would never match. I was excluding the case of HOME_NET 
being any, since this thread was about comma delimited lists of multiple IP 
ranges.

  In the case of using "any" for HOME_NET you want:

var HOME_NET any
var EXTERNAL_NET any

But again, that's not really a part of this thread.





More information about the Snort-users mailing list