Snort mailing list archives

Vision rules EXTERNAL/EXTERNAL_NET

From: Andy Bach <root () wiwb uscourts gov>
Date: Wed, 16 May 2001 15:03:34 -0500

Hi Folks,

Just trying the vision.rules for the first time and I had to add:
var INTERNAL $HOME_NET
var EXTERNAL $EXTERNAL_NET
after the original defs to keep all the rules working - is this normal?

I'm also getting:
May 16 14:51:01 pmwiwb snort: ERROR vision.rules (1) => Invalid CIDR 
block for IP addr 1024:
(rule 1):
alert TCP $EXTERNAL 1024: -> $INTERNAL 2589 (msg: 
  "IDS483/trojan-dagger_1.4.0_client_connect"; flags: A+; 
  content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16;)

Is that because I'm using the:
var HOME_NET $eth0_ADDRESS

format?  The snort rules all worked fine - is there a standard story for 
using one set over the other?

Thanks.

a

Andy Bach, Sys. Mgr
Internet: andy () wiwb uscourts gov    VOICE: (608) 264-5178 ex 5738, FAX 264-510

   UNIX *is* user friendly. It is just a bit selective about her friends.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Vision rules EXTERNAL/EXTERNAL_NET Andy Bach (May 16)
- Re: Vision rules EXTERNAL/EXTERNAL_NET Phil Wood (May 16)
- <Possible follow-ups>
- RE: Vision rules EXTERNAL/EXTERNAL_NET Kevin Brown (May 16)