[Snort-users] Snort setup help

Matt Kettler mkettler at ...4108...
Wed Sep 1 08:58:34 EDT 2004


At 09:14 AM 9/1/2004, Darren Reeves wrote:
>  I
>have added all subnets to the HOME_NET but what should i set for
>EXTERNAL_NET.  I would like to be able to catch suspicous traffic
>entering and leaving our network without having an insane amount of
>alerts.

Use this to only look at attacks from the outside targeting your network, 
but ignore attacks between two machines in HOME_NET.

var EXTERNAL_NET !$HOME_NET

you can also switch to "any" if you want to monitor for attacks within your 
lan, but this can be noisy.

var EXTERNAL_NET any








More information about the Snort-users mailing list