Snort mailing list archives
Re: EXTERNAL_NET
From: Phil Wood <cpw () lanl gov>
Date: Sun, 23 Jun 2002 22:01:26 -0600
On Sun, Jun 23, 2002 at 03:36:22AM -0400, Ashley Thomas wrote:
I was using var HOME_NET [A.B.0.0/16] var EXTERNAL_NET any Then i was also logging some alerts which had A.B.x.y - > A.B.z.w So i changed to var EXTERNAL_NET !HOME_NET
I'm sorry! I gave you a bumb steer. When you use a variable for a value in a config statement like: var EXTERNAL_NET "variable" it needs to look like var EXTERNAL_NET !$HOME_NET
But now i dont see any alerts !! Although there were some scans which were detected by another IDS. Is there some problem still with the above statement ? thanks -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Phil Wood Sent: Sunday, June 23, 2002 2:11 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] EXTERNAL_NET On Sun, Jun 23, 2002 at 01:32:40AM -0400, Ashley Thomas wrote:Is it correct to say var EXTERNAL_NET !A.B.0.0/8 if i need to consider every ip except A.B.0.0 range as external ?var HOME_NET [A.B.0.0/16]* var EXTERNAL_NET !HOME_NET The brackets allow for some more nets like: var HOME_NET [A.B.0.0/16,192.168.1.0/24]thanks ashley ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- EXTERNAL_NET Ashley Thomas (Jun 22)
- Re: EXTERNAL_NET Phil Wood (Jun 22)
- RE: EXTERNAL_NET Don (Jun 23)
- RE: EXTERNAL_NET Ashley Thomas (Jun 23)
- Re: EXTERNAL_NET Phil Wood (Jun 23)
- Re: EXTERNAL_NET Phil Wood (Jun 22)