[Snort-users] Home_net/External Net question

Seth Art adidas30 at ...131...
Wed Sep 8 13:36:20 EDT 2004


I have 2 firewalls, each monitoring 3 subnets.  

Subnets a, b, and c and VPN pool1 are going out/coming
in though firewall one.
Subnets d, e, and f and VPN pool2 are going out/coming
in though firewall two.

On my sensor inside of Firewall 1 HOME_NET is 
On my sensor inside of Firewall 2 HOME_NET is


I often get ICMP and other rules that trigger going
from either [a,b,c, vpnpool1] to d,e,f,vpnpool2] even
though they are both really my "home" network.

Here comes my question.  Should I keep everything the
way it is.   OR should I:

a) keep the home_nets the same but make a new variable
 called entire_home_net and include all 6 subnets and
both vpn pools and negate THAT for the external_net

b) add subnets a-f and both vpn pools to the home_net
var on each sensor (i don't think so) 

c) a third suggestion



REPLY TO:     adidas3 at ...549...

Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!

More information about the Snort-users mailing list