[Oisf-users] "HOME_NET" and "EXTERNAL_NET: "!$HOME_NET"".

Andreas Herz andi at geekosphere.org
Tue Feb 12 21:26:28 UTC 2019 

On 11/02/19 at 10:41, Jason Long wrote:
>  Thank you.Thus, "HOME_NET" is my Local IP address and "EXTERNAL_NET" is my Global IP address? Is it true?

This depends what you want to achieve with the rules. Most of the time
EXTERNAL_NET is everything else besides the local network which includes
both local and global IPs.

So for example you have a rule like this:

alert ip EXTERNAL_NET any -> HOME_NET any (msg: "attack"...)

you want to have the global IP in HOME_NET as well since you might want
to detect attacks targeting your global IP.

>     On Friday, February 8, 2019, 1:50:47 AM GMT+3:30, Andreas Herz <aherz at oisf.net> wrote:  
>  
>  Hi Jason,
> 
> On 06/02/19 at 09:06, Jason Long wrote:
> > Hello,I installed "" on CentOS 7.6 x86_64 and I want to configure it. In "suricata.yaml" I see:
> > HOME_NET: "[ 192.168.1.2]"    #HOME_NET: "[192.168.0.0/16]"    #HOME_NET: "[10.0.0.0/8]"    #HOME_NET: "[172.16.0.0/12]"    #HOME_NET: "any"
> >     EXTERNAL_NET: "!$HOME_NET"    #EXTERNAL_NET: "any"
> > My CentOS is a VM that running a web server and its Local IP address is "192.168.1.2" and Global IP address is "X.X.X.X", which values I must set for "HOME_NET" and " EXTERNAL_NET"?I see that " EXTERNAL_NET" have a "!$HOME_NET" value, what is it? If I set "HOME_NET" to "192.168.1.2" then all of "!$HOME_NET" refer to this IP?
> > Thank you.
> 
> !$HOME_NET means that it's all IPs except those defined in $HOME_NET
> 
> -- 
> Andreas Herz
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/  

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


-- 
Andreas Herz

More information about the Oisf-users mailing list