[Snort-users] variable problem
brian.hughes at ...9476...
Mon Jun 16 09:29:07 EDT 2003
First I would like to say thank you in advance for any replies.
I'm having a problem with the EXTERNAL_NET variable. We have two networks
10.5 and 10.6 Right now the IDS machine is listening for all traffic
coming into the 10.6 network. I'm trying to set things up so that Snort
will only alert for traffic coming into 10.6 from outside 10.6 and
10.5. Here is how I have my snort.conf variables defined.
EXTERNAL_NET [!10.6.0.0/24,!10.5.0.0/24] (I also tried setting it to
![10.6.0.0/24,10.5.0.0/24] but it didn't work either).
From looking through the archives I was thinking this would work, but it
is still showing alerts being triggered by machines in the 10.6 network
with destinations of the 10.5 network.
The only signature it is doing this for is the spp_portscan2 alert.
Any help would be greatly appreciated.
More information about the Snort-users