[Snort-users] Rules optimization

Erek Adams erek at ...950...
Fri Jun 20 08:22:06 EDT 2003

On Fri, 20 Jun 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:

> 1. I have multiple subnets in the segment where i'm monitoring the data. is
> it possible to add multiple segments in HOME_NET

	var HOME_NET [,]

If you do that, try and use the best CIDR notation that you can.  The more
subnets you have listed the more impact it will have on the speed of the

> 2. if i add my subnets to HOME_NET, will it be able to capture both
> attaks coming into my network as well as attaks being generated from my
> Network. I'm basically monitoring company's internal network and
> interested in both.

Well, that depends on how you have EXTERNAL_NET set.  Quite a few of the
rules are setup like EXTERNAL_NET -> HOME_NET.  You have two options:

	var HOME_NET any

Or run two instances of Snort.  One with a 'incoming' config, and then one
with an 'outgoing' config.

I'll warn you now, you'll see so many false positives using the any,any
thing that it'll make you crazy.


Erek Adams

