[Snort-users] HOME_NET, EXTERNAL_NET, ipvar unwanted triggered rules

David Smith DSmith at ...17880...
Fri Jun 9 12:32:01 EDT 2017


Members,

ENV: Ubuntu 16.04, Snort V 2.9.9.0, Barnyard2 V 2.1.14, PulledPork 0.7.3, BASE 1.4.5


Snort rules, pulled in from PulledPork are being triggered from addresses within the defined HOME_NET as if they are part of the EXTERNAL_NET, which is causing unwanted alerts.

Snort.conf:
ipvar HOME_NET [192.168.1.0/24,192.168.3.0/24]
ipvar EXTERNAL_NET !$HOME_NET

Rule example:
alert tcp $EXTERNAL_NET any -> $HOME_NET 53.........

Can't find anything in docs or web that has solved this issue for me.    Thoughts or ideas?

Thanks!

Dave Smith




More information about the Snort-users mailing list