[Snort-users] variable question

Mike Ellis mellis at ...6912...
Tue Jun 10 07:07:05 EDT 2003


Hi,

I am running snort on my network, and am working on fine tuning the
rulebase to eliminate a lot of the false positives that my normal net
traffic generates.  To do so, I have been working with variables.

My EXTERNAL_NET variable looks like this in my snort.conf file:

var EXTERNAL_NET ![$HOME_NET,$NCREN]

I have defined HOME_NET and NCREN prior to establishing the EXTERNAL_NET
variable.  What I want to do is have my EXTERNAL_NET look at all things
except for HOME_NET and NCREN.  Can someone let me know if, as it is
written above, the variable statement should work?

Also, is there a command I can run to see what snort thinks my
EXTERNAL_NET variable is?

Thanks for reading, and for any assitance you can provide.

Sincerely,

Mike Ellis

*************************************
Telecommunications & Security Manager
UNC-TV
(919) 549-7824
mellis at ...6912...
www.unctv.org





More information about the Snort-users mailing list