[Snort-users] HOME_NET, EXTERNAL_NET, ipvar unwanted triggered rules

Al Lewis (allewi) allewi at ...589...
Fri Jun 9 12:39:20 EDT 2017


	Do you have any example traffic?

Albert Lewis
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589... 

On 6/9/17, 12:32 PM, "David Smith" <DSmith at ...17880...> wrote:

>ENV: Ubuntu 16.04, Snort V, Barnyard2 V 2.1.14, PulledPork 0.7.3, BASE 1.4.5
>Snort rules, pulled in from PulledPork are being triggered from addresses within the defined HOME_NET as if they are part of the EXTERNAL_NET, which is causing unwanted alerts.
>ipvar HOME_NET [,]
>Rule example:
>alert tcp $EXTERNAL_NET any -> $HOME_NET 53.........
>Can't find anything in docs or web that has solved this issue for me.    Thoughts or ideas?
>Dave Smith
>Check out the vibrant tech community on one of the world's most
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
>Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list