<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Candara;
        panose-1:2 14 5 2 3 3 3 2 2 4;}
@font-face
        {font-family:Georgia;
        panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
        {font-family:"Bookman Old Style";
        panose-1:2 5 6 4 5 5 5 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Your home net should be the address ranges of the hosts you are trying to monitor / protect. Everyone else “should” be considered external
 net.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:#1F497D">Albert Lewis<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:#888888">QA Software Engineer<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Georgia","serif";color:#999999">SOURCE</span><b><span style="font-family:"Georgia","serif";color:red">fire</span></b><span style="font-family:"Georgia","serif";color:#999999">, Inc.
</span><span style="font-family:"Georgia","serif";color:#888888">now part of </span>
<b><span style="font-family:"Georgia","serif";color:#31849B">Cisco</span></b><span style="font-family:"Georgia","serif";color:#888888"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:#999999">9780 Patuxent Woods Drive<br>
Columbia, MD 21046 </span><span style="font-family:"Candara","sans-serif";color:#888888"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:#999999">Phone: (office) </span><span style="font-family:"Candara","sans-serif";color:#1F497D">443.430.7112<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Candara","sans-serif";color:#999999">Email:
</span><span style="font-family:"Candara","sans-serif";color:#1F497D">allewi@...589...</span><span style="font-family:"Candara","sans-serif";color:#4F81BD"> </span><span style="font-family:"Candara","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> mehdi maleki [mailto:mehdimlk2003@...131...]
<br>
<b>Sent:</b> Thursday, August 20, 2015 8:04 AM<br>
<b>To:</b> snort-sigs@lists.sourceforge.net ; snort-users-owner@lists.sourceforge.net ; Snort-users@lists.sourceforge.net
<br>
<b>Subject:</b> [Snort-users] configure snort when using NAT<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Bookman Old Style","serif";color:black">i try to use cdx dataset(<a href="http://www.usma.edu/crc/SitePages/DataSets.aspx" target="_blank" id="yui_3_16_0_1_1440071547859_3316">http://www.usma.edu/crc/SitePages/DataSets.aspx</a>)<br id="yui_3_16_0_1_1440071547859_3320">
they mention that used NAT(network address translation) in their network.<o:p></o:p></span></p>
<div id="yui_3_16_0_1_1440071547859_3343">
<p class="MsoNormal" style="background:white"><span style="font-family:"Bookman Old Style","serif";color:black">their network topology is here:(<a href="http://www.usma.edu/crc/SiteAssets/SitePages/DataSets/CDX_2009_Network_USMA.pdf" target="_blank" id="yui_3_16_0_1_1440071547859_3324">http://www.usma.edu/crc/SiteAssets/SitePages/DataSets/CDX_2009_Network_USMA.pdf</a>)i
 mix how configure HOME_NET variable in snort.conf?  should i use internal address or external address? they deliver a snort alert output file(<a href="https://drive.google.com/open?id=0B0u9Tg7udaAXd3dZVGRVWWJ1ZW8&authuser=0" target="_blank" id="yui_3_16_0_1_1440071547859_3330">https://drive.google.com/open?id=0B0u9Tg7udaAXd3dZVGRVWWJ1ZW8&authuser=0</a>),
 but addresses in this file is different from my SO generated alert file. please help me how configure HOME & EXternal ip address in snort.conf for using this dataset<o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1440071547859_3306">
<p class="MsoNormal" style="background:white"><span style="font-family:"Bookman Old Style","serif";color:black"> <o:p></o:p></span></p>
</div>
<div id="yui_3_16_0_1_1440071547859_3304">
<p class="MsoNormal" style="background:white"><span style="font-family:"Bookman Old Style","serif";color:black">Sincerely yours Mahdi Maleki<o:p></o:p></span></p>
</div>
</div>
</div>
</body>
</html>