Snort mailing list archives
RE: What am I missing?
From: "Ed Greshko" <Edward.M.Greshko () syntegra com>
Date: Sun, 6 May 2001 12:56:22 +0800
Max,
Snort configuration: var HOME_NET [10.220.17.0/24,!10.220.17.96/32] var EXTERNAL_NET !$HOME_NETThe machines are on the same subnet, yet you are defining EXTERNAL_NET as "everything that is not in the internal subnet"... so any rule that watches for external->internal will skip right over your traffic.
I would have thought that the !10.220.17.96/32 would make that host (even though it is on the same subnet) not part of HOME_NET. Then, since EXTERNAL_NET is everything not on HOME_NET I thought a !! would make .96 part of the EXTERNAL_NET.
Try setting EXTERNAL_NET to "any" if you want to do local testing like this...
OK....I'll give that a try.... Thanks, Ed P.S. No switch. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What am I missing? Ed Greshko (May 05)
- Re: What am I missing? Max Vision (May 05)
- RE: What am I missing? Ed Greshko (May 05)
- Re: What am I missing? Max Vision (May 05)