[Snort-users] variable problem

Erek Adams erek at ...950...
Mon Jun 16 09:54:05 EDT 2003


On Mon, 16 Jun 2003, Brian Hughes wrote:

> 	I'm having a problem with the EXTERNAL_NET variable.  We have two
> networks 10.5 and 10.6 Right now the IDS machine is listening for all
> traffic coming into the 10.6 network.  I'm trying to set things up so
> that Snort will only alert for traffic coming into 10.6 from outside
> 10.6 and 10.5.  Here is how I have my snort.conf variables defined.
>
> 	HOME_NET 10.6.0.0/24
> 	EXTERNAL_NET [!10.6.0.0/24,!10.5.0.0/24]

That's set correctly.

> (I also tried setting it to ![10.6.0.0/24,10.5.0.0/24] but it didn't
> work either).
>
> 	From looking through the archives I was thinking this would work,
> but it is still showing alerts being triggered by machines in the 10.6
> network with destinations of the 10.5 network.
>
> 	The only signature it is doing this for is the spp_portscan2 alert.

That's not a signature.  That's an alert generated by the portscan2
preprocessor.  portscan2 doesn't use HOME_NET or EXTERNAL_NET for
anything.  For that, you need to use portscan2-ignorehosts.  Have a look
at this [0] email from the archives for some more info.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://marc.theaimsgroup.com/?l=snort-users&m=105104781609557&w=2




More information about the Snort-users mailing list