Thu Nov 23 16:36:19 EST 2017
> 2) I have connected my Snort IDS box to a (managed) switch port that is set
> up as a SPAN (a.k.a - mirror) port. Eth1 is the Snort interface that is
> connected to that port and eth0 is another NIC in the Snort box that is not
> connected to anything. Eth1 has an IP address that matches the same subnet
> prefix/mask (172.20.0.0/16) as the other devices plugged into the switch,
> and eth0 has an IP address of 192.168.168.1/24.
> Since this is not an inline IDS, what should the HOME_NET and EXTERNAL_NET
> (var) variables be set to? I am currently using:
> var HOME_NET 192.168.168.0/24
> var EXTERNAL_NET any
Check the FAQ --3.3, 3.4 and 3.5.
The short answer really boils down to this: HOME_NET should be what you
want to watch. In this case, 172.20.0.0/16. EXTERNAL_NET could be set to
'everything else'. !$HOME_NET for example.
"It looks just like a Telefunken U-47. You'll love it..." -- Frank Zappa
More information about the Snort-users