Snort mailing list archives
Vision rules EXTERNAL/EXTERNAL_NET
From: Andy Bach <root () wiwb uscourts gov>
Date: Wed, 16 May 2001 15:03:34 -0500
Hi Folks, Just trying the vision.rules for the first time and I had to add: var INTERNAL $HOME_NET var EXTERNAL $EXTERNAL_NET after the original defs to keep all the rules working - is this normal? I'm also getting: May 16 14:51:01 pmwiwb snort: ERROR vision.rules (1) => Invalid CIDR block for IP addr 1024: (rule 1): alert TCP $EXTERNAL 1024: -> $INTERNAL 2589 (msg: "IDS483/trojan-dagger_1.4.0_client_connect"; flags: A+; content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16;) Is that because I'm using the: var HOME_NET $eth0_ADDRESS format? The snort rules all worked fine - is there a standard story for using one set over the other? Thanks. a Andy Bach, Sys. Mgr Internet: andy () wiwb uscourts gov VOICE: (608) 264-5178 ex 5738, FAX 264-510 UNIX *is* user friendly. It is just a bit selective about her friends. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Vision rules EXTERNAL/EXTERNAL_NET Andy Bach (May 16)
- Re: Vision rules EXTERNAL/EXTERNAL_NET Phil Wood (May 16)
- <Possible follow-ups>
- RE: Vision rules EXTERNAL/EXTERNAL_NET Kevin Brown (May 16)