Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous
Next: 3.5 How do I Up: 3 Configuring Snort Previous: 3.3 What are HOME_NET

3.4 My network spans multiple subnets. How do I define HOME_NET?

Snort 1.7 supports IP lists. You can assign a number of addresses to a single variable. For example: 

var HOME_NET [10.1.1.0/24,192.168.1.0/24]

NOTE: Not all preprocessors support IP lists at this time. Unless otherwise stated, assume that any preprocessor using an IP list variable will use the first value as the HOME_NET. The portscan preprocessor is an example. To catch all detectable portscans, pass 0.0.0.0/0 in as the first parameter. 

preprocessor portscan: 0.0.0.0/0 5 3 portscan.log

Use the portscan-ignorehosts preprocessor to fine tune and ignore traffic from noisy, trusted machines.


Nigel Houghton 2006-10-02
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.