Thu Nov 23 16:36:19 EST 2017

> 2) I have connected my Snort IDS box to a (managed) switch port that is set
> up as a SPAN (a.k.a - mirror) port. Eth1 is the Snort interface that is
> connected to that port and eth0 is another NIC in the Snort box that is not
> connected to anything. Eth1 has an IP address that matches the same subnet
> prefix/mask ( as the other devices plugged into the switch,
> and eth0 has an IP address of
> Since this is not an inline IDS, what should the HOME_NET and EXTERNAL_NET
> (var) variables be set to? I am currently using:
> var HOME_NET
> var EXTERNAL_NET any

Check the FAQ [0]--3.3, 3.4 and 3.5.

The short answer really boils down to this:  HOME_NET should be what you
want to watch.  In this case,  EXTERNAL_NET could be set to
'everything else'.  !$HOME_NET for example.


