[Snort-users] Best External_Net setting

Stephen W. Thomas swthomas at ...9227...
Thu May 22 06:37:07 EDT 2003

I'm trying to find out what the pros and cons are to setting the external_net variable to "!$home_net" instead of "any" on a client's network.
The network is currently configured where the internet feeds a router which feeds a firewall which feeds a Windows2k network. The network consists of Web servers, DNS servers, Exchange servers, and file servers. These are all on the same domain. Snort is monitoring that domain. My boss is trying to get rid of all of the false hits it's taking from inter-server traffic, so I thought that changing the External_Net variable to "!$Home_Net" would do it. However, I'm afarid if someone broke through the firewall, or spoofed an internal IP then we wouldn't get any hits on it.
Does anyone have any thoughts on External_Net being defined as "any" or "!$Home_Net"?

More information about the Snort-users mailing list