[Snort-users] Upgraded to 2.8.6 and external network addresses

Burks, Doug doug.burks at ...14446...
Thu Apr 29 16:56:54 EDT 2010

Hi James,

I think you're misunderstanding the purpose of EXTERNAL_NET.  Quoting
from http://seclists.org/snort/2007/q1/3 :
"HOME_NET is a list of systems you are interested in protecting.
EXTERNAL_NET is a list of systems you are interested in protecting
HOME_NET from."

Doug Burks

-----Original Message-----
From: James R. Marcus [mailto:jmarcus at ...14853...] 
Sent: Thursday, April 29, 2010 4:46 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Upgraded to 2.8.6 and external network addresses

Pretty new to Snort. I upgraded to 2.8.6 today and I'm running on Cent
OS 5.3 64-bit. In reality I didn't upgrade, I removed (not uninstalled)
all the Snort binaries from my system and then installed an RPM of
2.8.6. I copied a fair amount of my configuration from the snort.conf of
my earlier version.  I specified my Web servers, telnet servers (phone
system), etc in the configuration.  Then I came to the EXTERNAL_NET
variable and looked at the IPs assigned to my routers. I added the the
CIDR nets we were assigned.  So now I'm getting a lot fewer alerts, is
that because of the additonal detail I provided for network services and
external networks?

I know it says a good start may be "any" but is that because some people
don't know their external CIDR net?

There aren't my real IPs:

# Set up the external network addresses.  A good start may be "any"

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list