[Snort-users] Upgraded to 2.8.6 and external network addresses

James R. Marcus jmarcus at ...14853...
Thu Apr 29 16:46:07 EDT 2010


Hi,
Pretty new to Snort. I upgraded to 2.8.6 today and I'm running on Cent OS 5.3 64-bit. In reality I didn't upgrade, I removed (not uninstalled) all the Snort binaries from my system and then installed an RPM of 2.8.6. I copied a fair amount of my configuration from the snort.conf of my earlier version.  I specified my Web servers, telnet servers (phone system), etc in the configuration.  Then I came to the EXTERNAL_NET variable and looked at the IPs assigned to my routers. I added the the CIDR nets we were assigned.  So now I'm getting a lot fewer alerts, is that because of the additonal detail I provided for network services and external networks?

I know it says a good start may be "any" but is that because some people don't know their external CIDR net?


There aren't my real IPs:


# Set up the external network addresses.  A good start may be "any"
var EXTERNAL_NET [67.89.243.208/28,64.112.133.96/27,66.47.194.100/30]



Thanks,
James



More information about the Snort-users mailing list