NetFort Tips & Tricks - How do I set or change the IDS variables?

  • 1
  • Idea
  • Updated 3 years ago
We've had a few enquiries recently about IDS variables. Most of these variables are used by the Snort rules to determine the function of some systems and the location of others. The variables map out the layout of your environment so that Snort can make educated decisions about which events deserve an alert. The variables are looking for either IP addresses (one or several) or specific TCP ports on which a service is listening.

By default, the variables (set on a per sensor basis) are declared with the value any. This matches any IP address. While this value works, it may cause a large number of false positive alerts.

The steps involved in setting or changing the IDS variables are:

  1. Click on the LANGuardian menu bar and select Sensors.
  2. Click the Settings link for the sensor you want to modify.
  3. Click Configure IDS.
  4. Find the network variable.
  5. Specify a setting (see some examples below).
  6. Click Save.


Port 80 is the default HTTP port. You may enter either a single number or a comma-separated range of ports to be monitored for example 80,8080,3128

SMTP_SERVERS The IP address or addresses of the servers which are hosting mail servers in your network for example [].

HOME_NET Use this to specify the IP addresses of the systems you are protecting. The IP address or addresses which you use as your home network addresses for example [,].

Setting specific IP addresses and port numbers goes a long way towards reducing the number of false positives that Snort generates.

Should you wish to alter the IDS variables, and the examples above don't help, please contact us on any time.

Kind regards,
Aisling Brennan
NetFort Support Team

Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 386 Posts
  • 8 Reply Likes

Posted 3 years ago

  • 1

Be the first to post a reply!