The Snort Configuration File
113
var HOME_NET 192.168.1.0/24
Later on you can use this variable HOME_NET in your rules:
alert ip any any > $HOME_NET any (ipopts: lsrr; \
msg: Loose source routing attempt ; sid: 1000001;)
As you can see, using variables makes it very convenient to adapt the configura
tion file and rules to any environment. For example, you don't need to modify all rules
when you copy rules from one network to another; you just need to modify a single
variable.
3.7.1.1
Using a List of Networks in Variables
You can also define variables that contain multiple items. Consider that you have
multiple networks in the company. Your intrusion detection system is right behind the
company firewall connecting to the Internet. You can define a variable as a list of all of
these networks. The following variable shows that HOME_NETWORK consists of two
networks, 192.168.1.0/24 and 192.168.10.0/24.
var HOME_NET [192.168.1.0/24,192.168.10.0/24]
All networks in the variable name are separated by a comma.
3.7.1.2
Using Interface Names in Variables
You can also use interface names in defining variables. The following two state
ments define HOME_NET and EXTERNAL_NET variables on a Linux machine.
var HOME_NET $eth0_ADDRESS
var EXTERNAL_NET $eth1_ADDRESS
The HOME_NET variable uses the IP address and network mask value assigned
to interface eth0 and EXTERNAL_NET uses the IP address and network mask
assigned to network interface eth1. This arrangement is more convenient since you
can change IP addresses on the interfaces without modifying rules or even variables
themselves.
3.7.1.3
Using the any Keyword
The any keyword can also be a variable. It matches to everything, just as it does in
rules (such as addresses and port numbers). For example, if you want to test packets
regardless of their source, you can define a variable like the following for
EXTERNAL_NET.
var EXTERNAL_NET any
There are many variables defined in the snort.conf file that come with the
Snort distribution. While installing Snort, you need to modify these variables according
to your network.
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved