Re: Setting the Home and External Net variables

[Kevin Ross <kevross33 () googlemail com>]

Remove the negation in HOME_NET for the 10.12 I am agraid because you can't
negate the negation because 10.12 negated and then you are negating that.

Kevin

On 13 April 2012 06:55, Dheeraj Gupta <dheeraj.gupta4 () gmail com> wrote:

> Hi,
> I have a snort sensor that monitors one of my networks. The said network
> is actually a collection of a few 10.x.y.0/24 networks which can grow
> further in future. So I thought 10.0.0.0/8 is a good enough approximation
> for my home_net. However, keeping the firewall 10.12.100.100 in HOME_NET
> wouldn't make much sense (Since the sensor actually listens between the
> firewall and 10 network core switch). SO I configured this
> HOME_NET [10.0.0.0/8,!10.12.100.100 <http://10.0.0.0/8,%2110.12.100.100>]
>
> Now for the external_net, I can either
> 1) Set EXTERNAL_NET any - This helps me in monitoring rougue internal nodes
> 2) Set external_NET to some specific values
>
> Since I mirror a top level switch, there is not point in using 'any' as
> not all the intra-network traffic will be seen (And it leads to a lot of
> false positives)
> But setting EXTERNAL_NET !$HOME_NET gives me an error.
> ERROR: /etc/snort/snort.conf(48) Negated IP ranges that are more general
> than non-negated ranges are not allowed. Consider inverting the logic in
> EXTERNAL_NET
>  How can I accurately set my HOME_NET and EXTERNAL_NET?
>
>
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!