I have a range of IP's which are assigned for Internet facing servers. I had already defined all of my HOME_NET in which I also included publicly addressable internal IPs which I would like to monitor. However I had not added these external facing network ranges to the HOME_NET. I rather thought of adding them in the EXTERNAL_NET's excluded category. This ensures that, these IP's are not part of the internal network and are also not part of the external networks either. I believe it is safe to say that anything in the excluded category of EXTERNAL_NET can be called as an unprotected network.
The question is, did I configured it right? If there is an attack on one of the external facing server which is open on 80 and 443, for a signature such as "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS" I should be triggered only when the attack reaches an IP from the HOME_NET (159.x.x.x -> 192.168.x.x). Will this cause any conflicts? Is this even the right way of defining our external facing/internet facing networks?