[Snort-users] Regarding snort.conf HOME_NET and EXTERNAL_NET

Brandon Phelps bphelps at ...15414...
Thu Nov 10 16:39:16 EST 2011


The default snort.conf indicates that you should leave EXTERNAL_NET as 
"any" in most situations.

I already have HOME_NET set to [] (my internal network) so 
would it be prudent to set EXTERNAL_NET to !$HOME_NET instead, or should 
I leave it as any?  I would like to cut down on false positives and such 
as much as possible without the risk of losing any truly malicious alerts.

I have seen other configuration examples that have EXTERNAL_NET set to 
negate HOME_NET, so I'm not sure which is best.


More information about the Snort-users mailing list