Manage

How to configure Snort variables

Learn how to define Snort's configuration variables.

JP Vossen, CISSP

Snort has many configuration variables and options, but the two most important ones are $HOME_NET and $EXTERNAL_NET....

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

$HOME_NET is a variable that defines the network or networks you are trying to protect, while $EXTERNAL_NET is the external, untrusted networks to which you are connected. These variables are used in virtually all rules to specify criteria for the source and destination of a packet.

The default of both variables is "any," which means just what it sounds like. Setting $HOME_NET is pretty much a no-brainer. Configure the variable to the network or networks you are trying to protect, as shown in the examples in the snort.conf configuration file.

More on this topic

Learn more about intrusion detection and prevention with this comprehensive Learning Guide

$EXTERNAL_NET is a little more tricky, and there are two schools of thought concerning its configuration. The first group prefers to leave it set to the default of "any" since that picks up the most events. The second group prefers !$HOME_NET, which means literally anything that is not in $HOME_NET, because this setting cuts down on false positives and lets Snort run a little more efficiently. However, it opens up the possibility of missing an internal-to-internal (i.e. $HOME_NET to $HOME_NET) attack. Since 60 to 80 % of all attacks are internal, depending on what survey you read, I recommend leaving $EXTERNAL_NET set to any. Also, never set $EXTERNAL_NET to !$HOME_NET if $HOME_NET is set to any, since that effectively sets $EXTERNAL_NET to nothing.

There are a number of other variables that define DNS, SMTP, HTTP, SQL, Telnet, SNMP and AIM servers, and HTTP, SHELLCODE and Oracle ports. The default for all server variables is to set them to $HOME_NET, which is another reason to set that correctly. This will work pretty well, but you may find you can cut down false positives by setting these variables more specifically. You should verify the port variables in case you are using non-standard ports, but you can otherwise leave them alone.

SNORT INTRUSION DETECTION AND PREVENTION GUIDE

Introduction
Why Snort makes IDS worth the time and effort
How to identify and monitor network ports
How to handle network design with switches and segments
Where to place IDS network sensors
Finding an OS for Snort IDS sensors
How to determine network interface cards for IDS sensors
Modifying and writing custom Snort IDS rules
How to configure Snort variables
Where to find Snort IDS rules
How to automatically update Snort rules
How to decipher the Oinkcode for Snort's VRT rules
Using IDS rules to test Snort

ABOUT THE AUTHOR: JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.

This was last published in May 2005

More on this topic

10 Linux security tools for system administrators

Scapy tutorial: How to use Scapy to test Snort rules

Using Snort 2.8.3 to inspect HTTP traffic

How to use shared object rules in Snort

6 SaaS security best practices to protect applications

Review these 7 CASB vendors to best secure cloud access

CASB explained: Know its use cases before you buy

Considerations for SASE management and troubleshooting

Cisco sweetens Acacia deal by $2 billion

SASE challenges include network security roles, product choice

Parler sues AWS, seeks restraining order

Digital healthcare top priority for CIOs in 2021

C-suite execs give future technology predictions for the decade

Will Windows 10 be the last Windows OS?

CES: Laptops sport designs friendly for remote workers

Evaluate if Windows 10 needs third-party antivirus

COVID-19 and remote work shift cloud predictions for 2021

Cloud providers jockey for 2021 market share

How to build a cloud center of excellence

Private LTE/5G market set to reach £4.2bn in 2024

150,000 records accidentally wiped from police systems

Google Cloud, Nokia accelerate readiness for cloud-native enterprise 5G solutions

More on this topic

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

10 Linux security tools for system administrators

Scapy tutorial: How to use Scapy to test Snort rules

Using Snort 2.8.3 to inspect HTTP traffic

How to use shared object rules in Snort