[Snort-users] Alternate EXTERNAL_NET Problems

Briggs, Bruce Bruce.Briggs at ...13183...
Thu Mar 17 14:11:34 EST 2005

I have tried to set up a Snort variables
   var HOME_NET1 [ a bunch of subnets ]  
and then modified some of the NETBIOS alerts to use $EXTERNAL_NET1
instead of $EXTERNAL_NET.
However, I end up with alerts for IP addrs which are in HOME_NET1.

I also tried modifying the same NETBIOS rules replacing $EXTERNAL_NET
with !$HOME_NET1 and also end up with alerts for IP addrs in HOME_NET1.

If I make HOME_NET  the same as  HOME_NET1    and
then all the NETBIOS rules work as expected.

Is there a reason why  EXTERNAL_NET1  or   !$HOME_NET1  does not work as
I expect?

I'm running Snort 2.3.0 on Windows 2000.


More information about the Snort-users mailing list