[Snort-users] home_net and ext_net question
mkettler at ...4108...
Fri Apr 25 12:27:03 EDT 2003
At 01:07 PM 4/25/2003 -0500, Neil Dickey wrote:
>If HOME_NET is defined thus ...
> var HOME_NET any
>... and EXTERNAL_NET as follows ...
> var EXTERNAL_NET !$HOME_NET
>... then will a rule written like this ...
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Whatever";)
>... ever match? Alternatively, if EXTERNAL_NET is set this way ...
> var EXTERNAL_NET $HOME_NET
>... would such a rule match on everything that comes past? Recent
>posts on the list have shown these variables set the latter way, and
>I'm not sure why anyone would do that.
You are correct, it would never match. I was excluding the case of HOME_NET
being any, since this thread was about comma delimited lists of multiple IP
In the case of using "any" for HOME_NET you want:
var HOME_NET any
var EXTERNAL_NET any
But again, that's not really a part of this thread.
More information about the Snort-users