[Snort-users] Using Ranges in $HOME_NET and $EXTERNAL_NET

Joel Esler eslerj at ...11827...
Mon Oct 13 11:35:35 EDT 2008


var HOME_NET [!192.168.30.10,!192.168.30.11,192.168.30.0/24]

J

On Oct 13, 2008, at 11:07 AM, John Duksta wrote:

>
> We're making an effort in our HOME_NET definitions to exclude  
> internal addresses of proxy servers so internal sensors will treat  
> them as external hosts and we'll catch more browser based exploits.
>
> There are a couple of ways to skin this cat, but the one that seems  
> to work best is to do something that's not explicitly supported,  
> i.e. using a range specifier in the HOME_NET. It seems to work and  
> the snort.conf parser doesn't complain. However, I'd like to get the  
> thoughts of the community as to the long term feasibility of this  
> strategy.
>
> Example:
>
> Original Settings:
> var HOME_NET [192.168.30.0/24]
>
> I want to exclude 192.168.30.10 and .11 because they're proxy servers
> var HOME_NET [192.168.30.0:192.168.30.9,192.168.30.12:192.168.30.255]
>
> Thoughts?
> -j
>
>
> -- 
> John Duksta <jduksta at ...11827...>
> Can't sleep, clowns will eat me.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081013/9d5938c7/attachment.html>


More information about the Snort-users mailing list