[Snort-users] Regarding snort.conf HOME_NET and EXTERNAL_NET

Adam Hogan ahogan at ...1935...
Fri Nov 11 07:52:06 EST 2011

On Thu, Nov 10, 2011 at 4:39 PM, Brandon Phelps <bphelps at ...15414...> wrote:

> Hello,
> The default snort.conf indicates that you should leave EXTERNAL_NET as
> "any" in most situations.
> I already have HOME_NET set to [] (my internal network) so
> would it be prudent to set EXTERNAL_NET to !$HOME_NET instead, or should
> I leave it as any?  I would like to cut down on false positives and such
> as much as possible without the risk of losing any truly malicious alerts.
> I have seen other configuration examples that have EXTERNAL_NET set to
> negate HOME_NET, so I'm not sure which is best.
> Thanks,
> Brandon
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!


If you set $EXTERNAL_NET to !$HOME_NET you would miss any attacks that
originate in your network. If somebody brought malware into your office on
their laptop it could spread around your network all day without firing an
alert. If you want to see these kinds of alerts on this sensor then you
should leave EXTERNAL_NET set to any.

-- Adam W. Hogan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111111/e9c1d2a6/attachment.html>

More information about the Snort-users mailing list