[Snort-users] Using Ranges in $HOME_NET and $EXTERNAL_NET

John Duksta jduksta at ...11827...
Mon Oct 13 11:07:10 EDT 2008

We're making an effort in our HOME_NET definitions to exclude internal
addresses of proxy servers so internal sensors will treat them as external
hosts and we'll catch more browser based exploits.

There are a couple of ways to skin this cat, but the one that seems to work
best is to do something that's not explicitly supported, i.e. using a range
specifier in the HOME_NET. It seems to work and the snort.conf parser
doesn't complain. However, I'd like to get the thoughts of the community as
to the long term feasibility of this strategy.


Original Settings:
var HOME_NET []

I want to exclude and .11 because they're proxy servers
var HOME_NET [,]


John Duksta <jduksta at ...11827...>
Can't sleep, clowns will eat me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081013/d4fb4927/attachment.html>

More information about the Snort-users mailing list