No subject


Thu Nov 23 16:36:19 EST 2017


startup script.

> 2) I have connected my Snort IDS box to a (managed) switch port that is set
> up as a SPAN (a.k.a - mirror) port. Eth1 is the Snort interface that is
> connected to that port and eth0 is another NIC in the Snort box that is not
> connected to anything. Eth1 has an IP address that matches the same subnet
> prefix/mask (172.20.0.0/16) as the other devices plugged into the switch,
> and eth0 has an IP address of 192.168.168.1/24.
>
> Since this is not an inline IDS, what should the HOME_NET and EXTERNAL_NET
> (var) variables be set to? I am currently using:
>
> var HOME_NET 192.168.168.0/24
> var EXTERNAL_NET any

Check the FAQ [0]--3.3, 3.4 and 3.5.

The short answer really boils down to this:  HOME_NET should be what you
want to watch.  In this case, 172.20.0.0/16.  EXTERNAL_NET could be set to
'everything else'.  !$HOME_NET for example.

Cheers!

-----
Erek Adams

 "It looks just like a Telefunken U-47.  You'll love it..."  -- Frank Zappa


[0]	http://www.snort.org/docs/FAQ.txt




More information about the Snort-users mailing list