[Snort-users] External Subnets

Erwin Van de Velde erwin.vandevelde at ...10361...
Tue Nov 25 17:29:05 EST 2003


I haven't tried it yet, and while it's 2:30 AM here in Belgium it will have to 
wait till tomorrow :-)
But I think yes, and if not, why don't you say then
var NETWORK = 192.168.0.0/24
var EXTERNAL_NET = !$NETWORK
for example?

Although I don't think it's such a good idea to take anything else than 'any' 
for the $EXTERNAL_NET, as many attack rules are based on the fact that the 
attacker is on the external net. By setting this to something like !$NETWORK, 
every employee in your firm on $NETWORK can attack any host on your network 
unnoticed, which cannot be what you meant it to be I think...
Any ideas on this?

Greetz,
Erwin Van de Velde
Student of the Antwerp University,
Belgium


On Wednesday 26 November 2003 01:10, adam_peterson at ...10608... wrote:
> Is it possible to specify a negative variable value for a variable?
> Meaning:
>
> var EXTERNAL_NET        !HOME_NET
>
> The bang is just an idea of something that would negate the value so that
> my external_net variable would be any ip/subnet that isn't part of the
> home_net variable.  Is there anything in place to allow for this?  Could
> there be?  Since so many of the rules are based on the external_net
> variable, it's very frustrating that it must be set to ANY for my
> configurations because I can't specifiy every subnet on the Internet...or
> can I?
>
> Any help/advice is greatly appreciated.
>
> Adam Peterson | Senior WAN Engineer | SPL WorldGroup |
> adam_peterson at ...10608...





More information about the Snort-users mailing list