[Snort-users] variable problem
erek at ...950...
Mon Jun 16 09:54:05 EDT 2003
On Mon, 16 Jun 2003, Brian Hughes wrote:
> I'm having a problem with the EXTERNAL_NET variable. We have two
> networks 10.5 and 10.6 Right now the IDS machine is listening for all
> traffic coming into the 10.6 network. I'm trying to set things up so
> that Snort will only alert for traffic coming into 10.6 from outside
> 10.6 and 10.5. Here is how I have my snort.conf variables defined.
> HOME_NET 10.6.0.0/24
> EXTERNAL_NET [!10.6.0.0/24,!10.5.0.0/24]
That's set correctly.
> (I also tried setting it to ![10.6.0.0/24,10.5.0.0/24] but it didn't
> work either).
> From looking through the archives I was thinking this would work,
> but it is still showing alerts being triggered by machines in the 10.6
> network with destinations of the 10.5 network.
> The only signature it is doing this for is the spp_portscan2 alert.
That's not a signature. That's an alert generated by the portscan2
preprocessor. portscan2 doesn't use HOME_NET or EXTERNAL_NET for
anything. For that, you need to use portscan2-ignorehosts. Have a look
at this  email from the archives for some more info.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users