Snort mailing list archives
RE: home_net and ext_net question
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 25 Apr 2003 15:25:24 -0400
At 01:07 PM 4/25/2003 -0500, Neil Dickey wrote:
If HOME_NET is defined thus ... var HOME_NET any ... and EXTERNAL_NET as follows ... var EXTERNAL_NET !$HOME_NET ... then will a rule written like this ... alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Whatever";) ... ever match? Alternatively, if EXTERNAL_NET is set this way ... var EXTERNAL_NET $HOME_NET ... would such a rule match on everything that comes past? Recent posts on the list have shown these variables set the latter way, and I'm not sure why anyone would do that.
You are correct, it would never match. I was excluding the case of HOME_NET being any, since this thread was about comma delimited lists of multiple IP ranges.
In the case of using "any" for HOME_NET you want: var HOME_NET any var EXTERNAL_NET any But again, that's not really a part of this thread. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- home_net and ext_net question Mike Zupan (Apr 23)
- <Possible follow-ups>
- Re: home_net and ext_net question Neil Dickey (Apr 23)
- RE: home_net and ext_net question L. Christopher Luther (Apr 23)
- RE: home_net and ext_net question Everist, Benjamin S. (NASWI) (Apr 24)
- RE: home_net and ext_net question Matt Kettler (Apr 24)
- RE: home_net and ext_net question L. Christopher Luther (Apr 25)
- RE: home_net and ext_net question Matt Kettler (Apr 25)
- RE: home_net and ext_net question L. Christopher Luther (Apr 25)
- RE: home_net and ext_net question Neil Dickey (Apr 25)
- RE: home_net and ext_net question Matt Kettler (Apr 25)