[Snort-users] Will Snort understand something like this?

Hin hchlai at ...2792...
Wed Sep 28 07:39:27 EDT 2005


If I do "var EXTERNAL_NET $DMZ_NET", then I would only see alerts from DMZ -> HOME. I would like to see alerts from EXTERNAL to HOME as well as DMZ to HOME. Just like many of you from DC metropolitan area, I use routable IPs in my HOME_NET too. =)

Anyhow, I just ran a test by using 2 custom sigs:
alert tcp $EXTERNAL_NET any -> $HOME_NET any ("msg:"Inbound tcp traffic"; sid:5000000;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any ("msg:"Outbound tcp traffic"; sid:5000001;)

I guess Snort does interpret correctly as I can see traffic from EXTERNAL to HOME, DMZ to home and vice versa. However, I'm interested to know, Joel, from my last question regarding VNC server reponse. If now I know that I have defined EXTERNAL_NET and HOME_NET properly, what would be the cause of what I have seen?

Hin


Joel Esler <joel.esler at ...1935...> wrote:

>Why wouldn't you just do a var EXTERNAL_NET $DMZ_NET
>
>
>??
>
>Joel
>
>
>On Sep 28, 2005, at 9:53 AM, Hin wrote:
>
>> Hi Snorters,
>>
>> I set the following in my snort.conf
>>
>> var HOME_NET 192.168.0.0/16
>> var DMZ_NET [192.168.5.0/24,192.168.10.0/24,192.168.15.0/24]
>> var EXTERNAL_NET [!$HOME_NET,$DMZ_NET]
>>
>> Snort starts properly, but I don't know if Snort interprets  
>> EXTERNAL_NET correctly. Is there a way that I can find this  
>> information out?
>>
>> ps. Let's not try to understand how I get into this situation.
>>
>> Cheers,
>>
>> Hin
>>
>>
>> __________________________________________________________________
>> Switch to Netscape Internet Service.
>> As low as $9.95 a month -- Sign up today at http://isp.netscape.com/ 
>> register
>>
>> Netscape. Just the Net You Need.
>>
>> New! Netscape Toolbar for Internet Explorer
>> Search from anywhere on the Web and block those annoying pop-ups.
>> Download now at http://channels.netscape.com/ns/search/install.jsp
>>
>>
>> -------------------------------------------------------
>> This SF.Net email is sponsored by:
>> Power Architecture Resource Center: Free content, downloads,  
>> discussions,
>> and more. http://solutions.newsforge.com/ibmarch.tmpl
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>
>

__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp




More information about the Snort-users mailing list