Snort mailing list archives

Re: External Subnets

From: Erwin Van de Velde <erwin.vandevelde () ua ac be>
Date: Wed, 26 Nov 2003 02:27:52 +0100

I haven't tried it yet, and while it's 2:30 AM here in Belgium it will have to 
wait till tomorrow :-)
But I think yes, and if not, why don't you say then
var NETWORK = 192.168.0.0/24
var EXTERNAL_NET = !$NETWORK
for example?

Although I don't think it's such a good idea to take anything else than 'any' 
for the $EXTERNAL_NET, as many attack rules are based on the fact that the 
attacker is on the external net. By setting this to something like !$NETWORK, 
every employee in your firm on $NETWORK can attack any host on your network 
unnoticed, which cannot be what you meant it to be I think...
Any ideas on this?

Greetz,
Erwin Van de Velde
Student of the Antwerp University,
Belgium


On Wednesday 26 November 2003 01:10, adam_peterson () splwg com wrote:

Is it possible to specify a negative variable value for a variable?
Meaning:

var EXTERNAL_NET        !HOME_NET

The bang is just an idea of something that would negate the value so that
my external_net variable would be any ip/subnet that isn't part of the
home_net variable.  Is there anything in place to allow for this?  Could
there be?  Since so many of the rules are based on the external_net
variable, it's very frustrating that it must be set to ANY for my
configurations because I can't specifiy every subnet on the Internet...or
can I?

Any help/advice is greatly appreciated.

Adam Peterson | Senior WAN Engineer | SPL WorldGroup |
adam_peterson () splwg com




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

External Subnets adam_peterson (Nov 25)
- Message not available
  - Re: External Subnets Matt Kettler (Nov 25)
- Re: External Subnets Erwin Van de Velde (Nov 25)
- <Possible follow-ups>
- Re: External Subnets adam_peterson (Nov 25)