At 10:05 AM 6/10/2003 -0400, Mike Ellis wrote:
>My EXTERNAL_NET variable looks like this in my snort.conf file:
>I have defined HOME_NET and NCREN prior to establishing the EXTERNAL_NET
>variable.  What I want to do is have my EXTERNAL_NET look at all things
>except for HOME_NET and NCREN.  Can someone let me know if, as it is
>written above, the variable statement should work?

The statement you list should work properly and as expected, provided that 
$NCREN and $HOME_NET are defined and are valid in syntax.

A common mistake people often make is a basic boolean logic mistake.. you 
often see people write things like:


Which looks correct at casual glance, but is incorrect, since if NCREN and 
HOME_NET are non-intersecting, it is the same as "any". But you didn't make 
that mistake.

Congratulations, you understand basic boolean operations better than most :)

>Also, is there a command I can run to see what snort thinks my
>EXTERNAL_NET variable is?

Snort variables aren't really variables at all.. AFAIK they are implemented 
as literal text substitution, so they are more akin to C's #define than a 

I don't think there is a command to show what a var statement is, but a bit 
of copy-paste should show what it winds up being.

