Snort mailing list archives

RE: home_net and ext_net question

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 24 Apr 2003 18:37:14 -0400

At 02:38 PM 4/24/2003 -0700, Everist, Benjamin S. (NASWI) wrote:

<snip>
>Having HOME_NET encapsulate two or more networks can do funny things to the
>Snort rules when one simply negates EXTERNAL_NET (i.e., var EXTERNAL_NET
>!$HOME_NET, or some variant).

What kinds of funny things?

It will do funny things if you try to do HOME_NET as a comma-delimited listand forget to put ['s around it. Otherwise it should be fine.


![10.0.0.0/8,192.168.1.0/24] is different than ! 10.0.0.0/8,192.168.1.0/24

I suspect this is where the "funny things" experience comes in, fromsomeone errantly declaring:


var HOME_NET 10.0.0.0/8,192.168.1.0/24
var EXTERNAL_NET !$HOME_NET

Ooops.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

home_net and ext_net question Mike Zupan (Apr 23)
- <Possible follow-ups>
- Re: home_net and ext_net question Neil Dickey (Apr 23)
- RE: home_net and ext_net question L. Christopher Luther (Apr 23)
- RE: home_net and ext_net question Everist, Benjamin S. (NASWI) (Apr 24)
  - RE: home_net and ext_net question Matt Kettler (Apr 24)
- RE: home_net and ext_net question L. Christopher Luther (Apr 25)
- RE: home_net and ext_net question Matt Kettler (Apr 25)
- RE: home_net and ext_net question L. Christopher Luther (Apr 25)
- RE: home_net and ext_net question Neil Dickey (Apr 25)
  - RE: home_net and ext_net question Matt Kettler (Apr 25)