[Snort-users] variable problem

adam.w.hogan adam.w.hogan at ...9362...
Mon Jun 16 10:33:18 EDT 2003


Do you mean 10.5 and 10.6 each as the entire class B?  If so then try
setting it to:
$EXTERNAL_NET ![10.5.0.0/16,10.6.0.0/16]

16 is the CIDR switch for a class B (65536 hosts), 24 makes it a class C
(256 hosts).

I /think/ this would as well, but I'd check first:
$EXTERNAL_NET !10.5.0.0/15

-adam.

-----Original Message-----
From: Brian Hughes [mailto:brian.hughes at ...9476...]
Sent: Monday, June 16, 2003 12:28 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] variable problem


Hi,

	First I would like to say thank you in advance for any replies.	

	I'm having a problem with the EXTERNAL_NET variable.  We have
two networks 
10.5 and 10.6  Right now the IDS machine is listening for all traffic 
coming into the 10.6 network.  I'm trying to set things up so that Snort

will only alert for traffic coming into 10.6 from outside 10.6 and 
10.5.  Here is how I have my snort.conf variables defined.

	HOME_NET 10.6.0.0/24
	EXTERNAL_NET [!10.6.0.0/24,!10.5.0.0/24] (I also tried setting
it to 
![10.6.0.0/24,10.5.0.0/24] but it didn't work either).

	From looking through the archives I was thinking this would
work, but it 
is still showing alerts being triggered by machines in the 10.6 network 
with destinations of the 10.5 network.

	The only signature it is doing this for is the spp_portscan2
alert.

	Any help would be greatly appreciated.

Brian Hughes.
  



-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list