[Snort-users] home_net & external_net question

slava at ...13788... slava at ...13788...
Tue Jul 16 03:13:09 EDT 2013


On 16.07.2013 02:09, Joel Esler wrote:
> Are you using a snort in inline mode, or is it built into a firewall?
Thanks, Joel.
That's a pfsense snort instance.A rather old one (2.9.2.3), but
nevertheless.
So, it's built into the firewall.

-- 
Slava

>
>
> --
> Joel Esler
> Sent from my iPad
>
> On Jul 15, 2013, at 5:57 PM, "slava at ...13788..." <slava at ...13788...> wrote:
>
>> Hello,
>>
>> I'm not very skilled with snort. But have some understanding of how it
>> works.
>> So here is my situation:
>> We have a snort instance, which protect out internal network.
>> HOME_NET is set with a bunch of internal networks.
>> EXTERNAL_NET is set as !$HOME_NET
>> Today a few sites have been infected with a trojan, and upon it
>> activation, all sites from our internal network have been blocked at once.
>>
>> My question is : Did snort acted correctly by blocking IPs from HOME_NET
>> or not ?
>> Should snort not block networks listed in HOME_NET no matter what ?
>>
>>
>> Appreciate any help.
>> Thank you,
>> Slava
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>





More information about the Snort-users mailing list