[Snort-users] Alternate EXTERNAL_NET Problems

Briggs, Bruce Bruce.Briggs at ...13183...
Thu Mar 17 14:11:34 EST 2005


I have tried to set up a Snort variables
   var HOME_NET1 [ a bunch of subnets ]  
   var EXTERNAL_NET1 !HOME_NET1 
and then modified some of the NETBIOS alerts to use $EXTERNAL_NET1
instead of $EXTERNAL_NET.
However, I end up with alerts for IP addrs which are in HOME_NET1.

I also tried modifying the same NETBIOS rules replacing $EXTERNAL_NET
with !$HOME_NET1 and also end up with alerts for IP addrs in HOME_NET1.

If I make HOME_NET  the same as  HOME_NET1    and
 var EXTERNAL_NET !HOME_NET 
then all the NETBIOS rules work as expected.

Is there a reason why  EXTERNAL_NET1  or   !$HOME_NET1  does not work as
I expect?

I'm running Snort 2.3.0 on Windows 2000.


Thanks,
Bruce




More information about the Snort-users mailing list