[Snort-users] home_net & external_net question

slava at ...13788... slava at ...13788...
Mon Jul 15 17:57:26 EDT 2013


Hello,

I'm not very skilled with snort. But have some understanding of how it
works.
So here is my situation:
We have a snort instance, which protect out internal network.
HOME_NET is set with a bunch of internal networks.
EXTERNAL_NET is set as !$HOME_NET
Today a few sites have been infected with a trojan, and upon it
activation, all sites from our internal network have been blocked at once.

My question is : Did snort acted correctly by blocking IPs from HOME_NET
or not ?
Should snort not block networks listed in HOME_NET no matter what ?


Appreciate any help.
Thank you,
Slava




More information about the Snort-users mailing list