[Snort-users] variable problem

Jim Cervantes jcervant at ...9478...
Mon Jun 16 11:02:10 EDT 2003

Since every address matches either !, ! or both, isn't
your suggestion of setting EXTERNAL_NET to [!,!]
equivalent to setting it to any?


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erek Adams
Sent: Monday, June 16, 2003 12:53 PM
To: Brian Hughes
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] variable problem

On Mon, 16 Jun 2003, Brian Hughes wrote:

> 	I'm having a problem with the EXTERNAL_NET variable.  We have two
> networks 10.5 and 10.6 Right now the IDS machine is listening for all
> traffic coming into the 10.6 network.  I'm trying to set things up so
> that Snort will only alert for traffic coming into 10.6 from outside
> 10.6 and 10.5.  Here is how I have my snort.conf variables defined.

That's set correctly.

> (I also tried setting it to ![,] but it didn't
> work either).
> 	From looking through the archives I was thinking this would work,
> but it is still showing alerts being triggered by machines in the 10.6
> network with destinations of the 10.5 network.
> 	The only signature it is doing this for is the spp_portscan2 alert.

That's not a signature.  That's an alert generated by the portscan2
preprocessor.  portscan2 doesn't use HOME_NET or EXTERNAL_NET for
anything.  For that, you need to use portscan2-ignorehosts.  Have a look
at this [0] email from the archives for some more info.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

[0]	http://marc.theaimsgroup.com/?l=snort-users&m=105104781609557&w=2

This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list