[Snort-users] Alternate EXTERNAL_NET Problems
Bruce.Briggs at ...13183...
Thu Mar 17 14:11:34 EST 2005
I have tried to set up a Snort variables
var HOME_NET1 [ a bunch of subnets ]
var EXTERNAL_NET1 !HOME_NET1
and then modified some of the NETBIOS alerts to use $EXTERNAL_NET1
instead of $EXTERNAL_NET.
However, I end up with alerts for IP addrs which are in HOME_NET1.
I also tried modifying the same NETBIOS rules replacing $EXTERNAL_NET
with !$HOME_NET1 and also end up with alerts for IP addrs in HOME_NET1.
If I make HOME_NET the same as HOME_NET1 and
var EXTERNAL_NET !HOME_NET
then all the NETBIOS rules work as expected.
Is there a reason why EXTERNAL_NET1 or !$HOME_NET1 does not work as
I'm running Snort 2.3.0 on Windows 2000.
More information about the Snort-users