Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: WHy no alerts using eth0_ADDRESS?

From: "Hutchinson, Andrew" <Andrew.Hutchinson () Vanderbilt edu>
Date: Tue, 15 Jan 2002 15:08:26 -0600
I believe that the issue is this:

when you use

var HOME_NET $eth0_ADDRESS

then your $HOME_NET is set to the _single_ ip address of eth0.  For instance, if eth0 is 192.168.1.1/32, then snort 
will _only_ alert when the ICMP packet is coming from or headed to eth0 on the sensor itself.  So, if your ping was 
from the sensor, I would expect alerts, whereas if the ping is simply passing through the sensor, the $HOME_NET is not 
matched and thus no alert generated.

However, when you have 

var HOME_NET 192.168.1.0/24

or the like, the entire subnet is matched by $HOME_NET, and the signature is matched and an alert generated.

Hope this helps,

Andrew


Andrew Hutchinson CNE MCSE
Informatics/NCS/Network Security
Vanderbilt University Medical Center
615.936.2856 - voice
615.936.0643 - fax
andrew.hutchinson () mcmail vanderbilt edu


-----Original Message-----
From: Dr. Richard W. Tibbs [mailto:ccamp () oakcitysolutions com]
Sent: Tuesday, January 15, 2002 2:38 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] WHy no alerts using eth0_ADDRESS?


I am puzzled mildly by some remarks in the snort.conf  file:
....
#
# or use global variable $<interfacename>_ADDRESS
# which will be always initialized to IP address and
# netmask of the network interface which you run
# snort at.
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
#var HOME_NET any

By the comments above, I am led to believe that snort will always
initialize the $eth0_ADDRESS variable to the home net.
Snort has always worked "out of the shrink wrap" with no mods to 
snort.conf and finds eth0, my only active NIC;
snort -v reports packet as usual.

However ......

In an exploration with snort, I tried
var HOME_NET $eth0_ADDRESS
output alert_unixsock
alert icmp $HOME_NET any -> any any (msg: "OUT" ;)
alert icmp any any -> $HOME_NET any (msg: "IN" ;)

and I, when I ping another machine I get no alerts,
although the snort summary output counts as many packets as ping sends & 
receives. (i.e., the snort output is like:
Breakdown by protocol:               Action Stats:
...                                   Akerts: 0
  ICMP: 12
...

But when I use
var HOME_NET 192.168.1.0/32
output alert_unixsock
alert icmp $HOME_NET any  -> any any (msg: "OUT" ;)
alert icmp any any  -> $HOME_NET any (msg: "IN" ;)

I get the appropriate equal amounts of INs and OUTs alerted to the socket.

How come no alerts in the first case?
Do I actually have to set the eth0_ADDRESS variable myself?



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: