Posted by Gnomad on Mar 10, 2016; 1:41pm
URL: https://itus.accessinnov.com/Snort-rules-info-tp221p382.html

user8446 wrote

Gnomad wrote

Since I'm in Router mode, I'm considering making the edit

ipvar HOME_NET [192.168.100.0/24,10.1.1.0/24,10.10.10.0/24]

 where 192.168 is the subnet of my modem, 10.1.1 is my access point (wifi router), and 10.10.10.10 is of course the Shield.

Similarly then, I should be able to change

ipvar EXTERNAL_NET any

 to

ipvar EXTERNAL_NET !$HOME_NET

Any issues anyone can spot?
Should I be treating the modem subnet as external too?

On the external it wouldn't break anything but it wouldn't achieve anything either. That would just exclude your IP's on external that you put into the home. Since your LAN isn't on the internet and hidden behind NAT, it would be the same as any.

I take your point, but from the perspective of the router, my access point holds a 10.10.10.X DHCP lease.  So I do at least want to exclude the 10.10.10 subnet from the external ruleset.  Maybe the below would be more accurate then, just not sure whether the ![10.10.10.0/24] syntax would be exactly correct.

ipvar EXTERNAL_NET ![10.10.10.0/24]