Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Alternate EXTERNAL_NET Problems

From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Thu, 17 Mar 2005 17:10:33 -0500
I have tried to set up a Snort variables
   var HOME_NET1 [ a bunch of subnets ]  
   var EXTERNAL_NET1 !HOME_NET1 
and then modified some of the NETBIOS alerts to use $EXTERNAL_NET1
instead of $EXTERNAL_NET.
However, I end up with alerts for IP addrs which are in HOME_NET1.

I also tried modifying the same NETBIOS rules replacing $EXTERNAL_NET
with !$HOME_NET1 and also end up with alerts for IP addrs in HOME_NET1.

If I make HOME_NET  the same as  HOME_NET1    and
 var EXTERNAL_NET !HOME_NET 
then all the NETBIOS rules work as expected.

Is there a reason why  EXTERNAL_NET1  or   !$HOME_NET1  does not work as
I expect?

I'm running Snort 2.3.0 on Windows 2000.


Thanks,
Bruce


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: