[Snort-users] Using Ranges in $HOME_NET and $EXTERNAL_NET

John Duksta jduksta at ...11827...
Mon Oct 13 11:07:10 EDT 2008


We're making an effort in our HOME_NET definitions to exclude internal
addresses of proxy servers so internal sensors will treat them as external
hosts and we'll catch more browser based exploits.

There are a couple of ways to skin this cat, but the one that seems to work
best is to do something that's not explicitly supported, i.e. using a range
specifier in the HOME_NET. It seems to work and the snort.conf parser
doesn't complain. However, I'd like to get the thoughts of the community as
to the long term feasibility of this strategy.

Example:

Original Settings:
var HOME_NET [192.168.30.0/24]

I want to exclude 192.168.30.10 and .11 because they're proxy servers
var HOME_NET [192.168.30.0:192.168.30.9,192.168.30.12:192.168.30.255]

Thoughts?
-j


-- 
John Duksta <jduksta at ...11827...>
Can't sleep, clowns will eat me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081013/d4fb4927/attachment.html>


More information about the Snort-users mailing list