[Oisf-users] Discrepancies in Snort and Suricata alerts

Travis Green travis at travisgreen.net
Fri Oct 5 17:01:40 UTC 2018

In my environment, it appeared that I was able to reproduce the problem.
Then, in troubleshooting, I modified the rule in question to remove
$HOME_NET and replace with "any" and the rule fires:

alert http any any -> $EXTERNAL_NET any (msg:"ET MALWARE SearchProtect

Fatima, this might be worth double checking this in your environment.


HOME_NET: "[,,]"

ipvar HOME_NET any
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181005/70ed7796/attachment.html>

More information about the Oisf-users mailing list