[Snort-users] External Subnets

Erwin Van de Velde erwin.vandevelde at ...10361...
Tue Nov 25 17:29:05 EST 2003

I haven't tried it yet, and while it's 2:30 AM here in Belgium it will have to 
wait till tomorrow :-)
But I think yes, and if not, why don't you say then
for example?

Although I don't think it's such a good idea to take anything else than 'any' 
for the $EXTERNAL_NET, as many attack rules are based on the fact that the 
attacker is on the external net. By setting this to something like !$NETWORK, 
every employee in your firm on $NETWORK can attack any host on your network 
unnoticed, which cannot be what you meant it to be I think...
Any ideas on this?

Erwin Van de Velde
Student of the Antwerp University,

On Wednesday 26 November 2003 01:10, adam_peterson at ...10608... wrote:
> Is it possible to specify a negative variable value for a variable?
> Meaning:
> The bang is just an idea of something that would negate the value so that
> my external_net variable would be any ip/subnet that isn't part of the
> home_net variable.  Is there anything in place to allow for this?  Could
> there be?  Since so many of the rules are based on the external_net
> variable, it's very frustrating that it must be set to ANY for my
> configurations because I can't specifiy every subnet on the Internet...or
> can I?
> Any help/advice is greatly appreciated.
> Adam Peterson | Senior WAN Engineer | SPL WorldGroup |
> adam_peterson at ...10608...

More information about the Snort-users mailing list