[Snort-users] Upgraded to 2.8.6 and external network addresses

James R. Marcus jmarcus at ...14853...
Thu Apr 29 17:11:17 EDT 2010


Yes I did misunderstand, thank you for posting the link, it was very helpful.

James


On Apr 29, 2010, at 4:56 PM, Burks, Doug wrote:

> Hi James,
> 
> I think you're misunderstanding the purpose of EXTERNAL_NET.  Quoting
> from http://seclists.org/snort/2007/q1/3 :
> "HOME_NET is a list of systems you are interested in protecting.
> EXTERNAL_NET is a list of systems you are interested in protecting
> HOME_NET from."
> 
> Regards,
> Doug Burks
> 
> -----Original Message-----
> From: James R. Marcus [mailto:jmarcus at ...14853...] 
> Sent: Thursday, April 29, 2010 4:46 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Upgraded to 2.8.6 and external network addresses
> 
> Hi,
> Pretty new to Snort. I upgraded to 2.8.6 today and I'm running on Cent
> OS 5.3 64-bit. In reality I didn't upgrade, I removed (not uninstalled)
> all the Snort binaries from my system and then installed an RPM of
> 2.8.6. I copied a fair amount of my configuration from the snort.conf of
> my earlier version.  I specified my Web servers, telnet servers (phone
> system), etc in the configuration.  Then I came to the EXTERNAL_NET
> variable and looked at the IPs assigned to my routers. I added the the
> CIDR nets we were assigned.  So now I'm getting a lot fewer alerts, is
> that because of the additonal detail I provided for network services and
> external networks?
> 
> I know it says a good start may be "any" but is that because some people
> don't know their external CIDR net?
> 
> 
> There aren't my real IPs:
> 
> 
> # Set up the external network addresses.  A good start may be "any"
> var EXTERNAL_NET [67.89.243.208/28,64.112.133.96/27,66.47.194.100/30]
> 
> 
> 
> Thanks,
> James
> ------------------------------------------------------------------------
> ------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users









More information about the Snort-users mailing list