Mark Lutz wrote:
The Snort FAQ states the following:
| Q: IP address is assigned dynamically to my interface, can I use | snort with it? | | A: Yes. With snort 1.7 and later, <interface>_ADDRESS variable is | available. | The value of this variable will be always set to IP | address/Netmask of the interface which you run snort at. if | interface goes down and up again (and an IP address is | reassigned) you will have to restart snort. For earlier | versions of snort numerous scripts to achieve the same result | are available.
2. How/where do I use this variable?
AFAIK in /etc/snort/snort-lib file you define the HOME_NETWORK as var HOME_NETWORK 192.168.1.0/24 then you define the EXTERNAL_NET and this could be var EXTERNAL_NET !$HOME_NETWORK this way by using the negation mark "!" and the defined variable HOME_NETWORK anything that is not HOME_NETWORK is assumed EXTERNAL HTH -- Togan Muftuoglu