You have to declare these values as they are variables. Once you assign a value to them, they will retain the IP. Then, every reference will be fine. Otherwise, it has no idea. If you downloaded your rules set from Snort directly, if memory serves, they default to a value of "any" for those variables. This WILL work, but it is not very specific. You will end up seeing more data reported by Snort than you had originally planned as it will apply both internal and external rules to both segments of your network since you have not specified the interface.
Here is the declaration for the variables in the Snort.conf file: var HOME_NET any var EXTERNAL_NET any As I stated, you can specify the interface by IP and replace the "any" keyword above. This was just an example for you to use. Hope that helps! Good luck, Bejon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 02, 2002 10:09 AM To: [EMAIL PROTECTED] Subject: Snort config questions Hello, when configuring various snort rules, does the EXTERNAL_NET variabe automatically monitor your external NIC or do you have to add your IP to every line? (same for HOME_NET). Also, when I add my IP and test snort, I get a bad port error. What is the correct way to put my IP in a line? thanks dp
