EXTERNAL_NET defaults to "any"

[polivia]

Was tracking down some false positives and noticed that the default setting for suricata is EXTERNAL_NET: any .

1. Is there a reason it's not set to !$HOME_NET ?
2. You can set HOME_NET with the hnmanager attribute in global.sls. Is there an attribute for EXTERNAL_NET if we want to modify it as well?

[dougburks]

1. Yes, we set EXTERNAL_NET to any to improve your ability to detect lateral movement.
2. Have you checked the documentation?
   https://docs.securityonion.net/en/2.3/suricata.html?highlight=external_net#configuration