Snort mailing list archives
Re: snort.conf
From: Leon Ward <leon () countersnipe com>
Date: Fri, 14 Jan 2005 15:13:06 +0000
Hello, On Fri, 2005-01-14 at 09:39 -0500, spiv007 wrote:
HOME_NET -> [192.168.0.0/24] EXTERNAL_NET !$HOME_NET So by doing the above i'm jusr letting snort now 192.168.0.0 is mu home network and my external is any but my "home_network"
Yes
and snort will still report problems on my home network too.
Well this all depends on the rule itself. A great deal of the signatures are designed to catch traffic flowing one direction, eg attacks on your network ($HOME_NET) coming from external parties ($EXTERNAL_NET). Is there something specific you are hoping to catch? -Leon
? On Thu, 13 Jan 2005 16:29:52 -0600, Frank Knobbe <frank () knobbe us> wrote:On Thu, 2005-01-13 at 16:38 -0500, spiv007 wrote:Right that what im wondering will "var EXTERNAL_NET !$HOME_NET" show me an internet address attaching another internal address. Im using bleeding rules to detect virus and spyware. I was thinking "var EXTERNAL_NET any" will be my best option for this case.If you want to catch HOME_NET -> HOME_NET, then yes. Or you can mix them. I have snort.conf's that first set EXTERNAL_NET to HOME_NET, then include various rule sets, and then set EXTERNAL_NET to any, and include some selected rule sets. If all depends on what YOU want to catch. Cheers, Frank PS: I wonder what would happen if I set "var HOME_NET !$EXTERNAL_NET" ;)------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: snort.conf, (continued)
- Re: snort.conf Jose Maria Lopez (Jan 13)
- snort.conf spiv007 (Jan 13)
- RE: snort.conf Esler, Joel - Contractor (Jan 13)
- RE: snort.conf Paul Schmehl (Jan 13)
- RE: snort.conf Esler, Joel - Contractor (Jan 13)
- Re: snort.conf spiv007 (Jan 13)
- Re: snort.conf Frank Knobbe (Jan 13)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf Paul Schmehl (Jan 14)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf Leon Ward (Jan 14)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf spiv007 (Jan 13)