[Snort-users] variable problem

Jim Cervantes jcervant at ...9478...
Mon Jun 16 11:02:10 EDT 2003


Since every address matches either !10.6.0.0/24, !10.5.0.0/24 or both, isn't
your suggestion of setting EXTERNAL_NET to [!10.6.0.0/24,!10.5.0.0/24]
equivalent to setting it to any?

-Jim

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erek Adams
Sent: Monday, June 16, 2003 12:53 PM
To: Brian Hughes
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] variable problem


On Mon, 16 Jun 2003, Brian Hughes wrote:

> 	I'm having a problem with the EXTERNAL_NET variable.  We have two
> networks 10.5 and 10.6 Right now the IDS machine is listening for all
> traffic coming into the 10.6 network.  I'm trying to set things up so
> that Snort will only alert for traffic coming into 10.6 from outside
> 10.6 and 10.5.  Here is how I have my snort.conf variables defined.
>
> 	HOME_NET 10.6.0.0/24
> 	EXTERNAL_NET [!10.6.0.0/24,!10.5.0.0/24]

That's set correctly.

> (I also tried setting it to ![10.6.0.0/24,10.5.0.0/24] but it didn't
> work either).
>
> 	From looking through the archives I was thinking this would work,
> but it is still showing alerts being triggered by machines in the 10.6
> network with destinations of the 10.5 network.
>
> 	The only signature it is doing this for is the spp_portscan2 alert.

That's not a signature.  That's an alert generated by the portscan2
preprocessor.  portscan2 doesn't use HOME_NET or EXTERNAL_NET for
anything.  For that, you need to use portscan2-ignorehosts.  Have a look
at this [0] email from the archives for some more info.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://marc.theaimsgroup.com/?l=snort-users&m=105104781609557&w=2


-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list