Rules for WAN or LAN?
-
HI,
Am I right thinking that rules with $EXTERNAL_NET as source are for WAN, and rules with $HOME_NET as source are for LAN? Trying to enable/disable rules for WAN and LAN interfaces for Snort/Suricata, going to disable all the $EXTERNAL_NET source rules for LAN, and disable all the $HOME_NET source rules for WAN?
Thanks,
-
No, $EXTERNAL_NET and $HOME_NET simply define networks that are to be protected ($HOME_NET) and those that are considered "the enemy" ($EXTERNAL_NET).
Bill
-
No, $EXTERNAL_NET and $HOME_NET simply define networks that are to be protected ($HOME_NET) and those that are considered "the enemy" ($EXTERNAL_NET).
Bill
Thanks much, How do I do so that on the Alerts screen I can see WAN address as Destination for incoming alerts, and LAN addresses as source for outgoing alerts?
-
The addresses in the packets themselves determine source versus destination. Maybe I am misunderstanding what you are wanting.
Perhaps what you are asking is how to see alerts so that the WAN is not the only HOME_NET address shown. To do that, you must run Snort on the LAN interface. Only there can it display addresses before the NAT rules are applied.
Do a search here on the forum for "snort wan vs lan" and you should get some threads to look through.
Bill
