Snort mailing list archives
HOME_NET not supporting multiple subnets?!
From: Jon Benson <Jon () destra com>
Date: Tue, 20 Aug 2002 16:01:11 +1000
Hi all, I've setup Snort + MySQL + Acid on a RH 7.3 box using RPMs and the Snort Installation Manual as a guide. There are just FAR too many alerts being logged and mostly false positives with the default setup. So I attempted to setup the HOME_NET appropriately. However it seems to me that it only uses the FIRST subnet when specifying more then one subnet. Eg. If HOME_NET were defined as: var HOME_NET [10.10.1.0/24, 10.10.2.0/24, 10.10.3.64/27, 10.10.4.1/27, 10.10.5.0/24] it would only generate alerts for packets destined for 10.10.1.0/24 reliably. There may be the odd packet that gets logged for the remaining subnets but it is definitely missing test traffic that I'm generating from an external network. Eg. wget "10.10.5.46/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c ../winnt/system32/cmd.exe?/c+dir" fails to log an alert where as: wget "10.10.1.96/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c ../winnt/system32/cmd.exe?/c+dir" would log an alert as expected My problem is I have 10 different subnets I need to watch (real ones not the examples given) and the default of "any" is, as mentioned, far too noisy. Any/all suggestions would be most welcome. Jon Benson Mail/DNS Administrator OzHosting.com ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HOME_NET not supporting multiple subnets?! Jon Benson (Aug 19)
- Re: HOME_NET not supporting multiple subnets?! Erek Adams (Aug 20)