[Snort-users] Regarding snort.conf HOME_NET and EXTERNAL_NET
bphelps at ...15414...
Thu Nov 10 16:39:16 EST 2011
The default snort.conf indicates that you should leave EXTERNAL_NET as
"any" in most situations.
I already have HOME_NET set to [10.0.0.0/8] (my internal network) so
would it be prudent to set EXTERNAL_NET to !$HOME_NET instead, or should
I leave it as any? I would like to cut down on false positives and such
as much as possible without the risk of losing any truly malicious alerts.
I have seen other configuration examples that have EXTERNAL_NET set to
negate HOME_NET, so I'm not sure which is best.
More information about the Snort-users