Snort mailing list archives

RE: Home_net & external_net

From: "Jeremy Finke" <Jeremy.Finke () MeridianIQ com>
Date: Fri, 6 Dec 2002 10:10:10 -0600

Hmm... that is an interesting idea...  I tried to do what Robby Desmond suggested which was:
var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16] 
var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16]

But, it still seems to have the same problem...  I might be missing something...  My network is a little complicated 
how some of these things talk to each other...  :D

        -----Original Message----- 
        From: Erek Adams [mailto:erek () theadamsfamily net] 
        Sent: Fri 12/6/2002 9:21 AM 
        To: Jeremy Finke 
        Cc: snort-users () lists sourceforge net 
        Subject: RE: [Snort-users] Home_net & external_net
        
        

        On Fri, 6 Dec 2002, Jeremy Finke wrote:
        
        > Except that I want to view 192.168.41.0 as both an attacking and
        > protected network.
        
        Ok, well that's not clear from your original info.
        
        [I'm short on cofee today, so all brain cells may not be firing...]
        
        What you're doing now:
        
        > var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
        > var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]
        
        Wouldn't work the way you want.  If it does work and is valid (I'm too
        lazy to dig into the source right now) it is the same as setting EXTERNAL
        to !$HOME_NET.
        
        You might want to consider running another instance of snort that is setup
        to just watch the 192.168.41.0 net.  Setup one as external as !$HOME on
        one, then use 'any' on the second.
        
        Granted it's not optimal, bit it would work.
        
        Cheers!
        
        -----
        Erek Adams
        Nifty-Type-Guy
        TheAdamsFamily.Net

Current thread:

Home_net & external_net Jeremy Finke (Dec 05)
- RE: Home_net & external_net Don (Dec 05)
- Re: Home_net & external_net Erek Adams (Dec 05)
- <Possible follow-ups>
- RE: Home_net & external_net Jeremy Finke (Dec 06)
  - RE: Home_net & external_net Erek Adams (Dec 06)
    - RE: Home_net & external_net Don (Dec 06)
    - RE: Home_net & external_net Erek Adams (Dec 06)
- RE: Home_net & external_net Jeremy Finke (Dec 06)
  - RE: Home_net & external_net Erek Adams (Dec 06)
  - Re: Home_net & external_net Jens Krabbenhoeft (Dec 09)
- RE: Home_net & external_net Jeremy Finke (Dec 06)
  - RE: Home_net & external_net Don (Dec 06)