[Snort-users] variable problem
jcervant at ...9478...
Mon Jun 16 11:02:10 EDT 2003
Since every address matches either !10.6.0.0/24, !10.5.0.0/24 or both, isn't
your suggestion of setting EXTERNAL_NET to [!10.6.0.0/24,!10.5.0.0/24]
equivalent to setting it to any?
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erek Adams
Sent: Monday, June 16, 2003 12:53 PM
To: Brian Hughes
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] variable problem
On Mon, 16 Jun 2003, Brian Hughes wrote:
> I'm having a problem with the EXTERNAL_NET variable. We have two
> networks 10.5 and 10.6 Right now the IDS machine is listening for all
> traffic coming into the 10.6 network. I'm trying to set things up so
> that Snort will only alert for traffic coming into 10.6 from outside
> 10.6 and 10.5. Here is how I have my snort.conf variables defined.
> HOME_NET 10.6.0.0/24
> EXTERNAL_NET [!10.6.0.0/24,!10.5.0.0/24]
That's set correctly.
> (I also tried setting it to ![10.6.0.0/24,10.5.0.0/24] but it didn't
> work either).
> From looking through the archives I was thinking this would work,
> but it is still showing alerts being triggered by machines in the 10.6
> network with destinations of the 10.5 network.
> The only signature it is doing this for is the spp_portscan2 alert.
That's not a signature. That's an alert generated by the portscan2
preprocessor. portscan2 doesn't use HOME_NET or EXTERNAL_NET for
anything. For that, you need to use portscan2-ignorehosts. Have a look
at this  email from the archives for some more info.
"When things get weird, the weird turn pro." H.S. Thompson
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users