Rules for WAN or LAN?
- 
 HI, Am I right thinking that rules with $EXTERNAL_NET as source are for WAN, and rules with $HOME_NET as source are for LAN? Trying to enable/disable rules for WAN and LAN interfaces for Snort/Suricata, going to disable all the $EXTERNAL_NET source rules for LAN, and disable all the $HOME_NET source rules for WAN? Thanks, 
- 
 No, $EXTERNAL_NET and $HOME_NET simply define networks that are to be protected ($HOME_NET) and those that are considered "the enemy" ($EXTERNAL_NET). Bill 
- 
 No, $EXTERNAL_NET and $HOME_NET simply define networks that are to be protected ($HOME_NET) and those that are considered "the enemy" ($EXTERNAL_NET). Bill Thanks much, How do I do so that on the Alerts screen I can see WAN address as Destination for incoming alerts, and LAN addresses as source for outgoing alerts? 
- 
 The addresses in the packets themselves determine source versus destination. Maybe I am misunderstanding what you are wanting. Perhaps what you are asking is how to see alerts so that the WAN is not the only HOME_NET address shown. To do that, you must run Snort on the LAN interface. Only there can it display addresses before the NAT rules are applied. Do a search here on the forum for "snort wan vs lan" and you should get some threads to look through. Bill 
