[Snort-users] Home_net/External Net question

Seth Art adidas30 at ...131...
Wed Sep 8 13:36:20 EDT 2004


Background:

I have 2 firewalls, each monitoring 3 subnets.  

Subnets a, b, and c and VPN pool1 are going out/coming
in though firewall one.
Subnets d, e, and f and VPN pool2 are going out/coming
in though firewall two.

On my sensor inside of Firewall 1 HOME_NET is 
[a,b,c,vpnpool1]
On my sensor inside of Firewall 2 HOME_NET is
[d,e,f,vpnpool2]

EXTERNAL_NET on both are !$HOME_NET

I often get ICMP and other rules that trigger going
from either [a,b,c, vpnpool1] to d,e,f,vpnpool2] even
though they are both really my "home" network.

Here comes my question.  Should I keep everything the
way it is.   OR should I:

a) keep the home_nets the same but make a new variable
 called entire_home_net and include all 6 subnets and
both vpn pools and negate THAT for the external_net

b) add subnets a-f and both vpn pools to the home_net
var on each sensor (i don't think so) 

c) a third suggestion

Thanks,

Seth

=====
REPLY TO:     adidas3 at ...549...


	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 




More information about the Snort-users mailing list