[Snort-users] Using Ranges in $HOME_NET and $EXTERNAL_NET
jduksta at ...11827...
Mon Oct 13 11:07:10 EDT 2008
We're making an effort in our HOME_NET definitions to exclude internal
addresses of proxy servers so internal sensors will treat them as external
hosts and we'll catch more browser based exploits.
There are a couple of ways to skin this cat, but the one that seems to work
best is to do something that's not explicitly supported, i.e. using a range
specifier in the HOME_NET. It seems to work and the snort.conf parser
doesn't complain. However, I'd like to get the thoughts of the community as
to the long term feasibility of this strategy.
var HOME_NET [192.168.30.0/24]
I want to exclude 192.168.30.10 and .11 because they're proxy servers
var HOME_NET [192.168.30.0:192.168.30.9,192.168.30.12:192.168.30.255]
John Duksta <jduksta at ...11827...>
Can't sleep, clowns will eat me.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users