RE: detect that shouldn't be detected!

["Daniel Lopez" <dlopez () tct hut fi>]

Yes, but my HOME_NET is still set to 10.50.1.0/24. So, even if my home
network address is included in the EXTERNAL variable because I'm using
any, I'm launching the attack from 10.50.1.x -> 10.50.0.X

10.50.0.x is not an IP address that belongs to my Home network.
Am I still missing something? :-/


> That is right.  Because 10.50.1.0 is included in your EXTERNAL network
> (any).
>
> Try changing EXERNAL_NET to !$HOME_NET
>
>
> -----Original Message-----
> From: Daniel Lopez [mailto:dlopez () tct hut fi]
> Sent: Thursday, August 01, 2002 4:49 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] detect that shouldn't be detected!
>
>
> Hello,
>
> Currently, I'm doing some tests on Snort. I'm using two LANs. One
> recreates the External network. The network address is: 10.50.0.0/24.
> The second LAN is my home network. The network address is:
> 10.50.1.0/24
> They are interconnected via a router. I wanted to be able to
> get attacks
> going from the External network to my Home network, and attacks going
> from my Home network to the other computers in my Home network.
> The SNORT box is in the home network. Computers and SNORT box are
> connected through a HUB. I configured the HOME_NET and EXTERNAL_NET
> variables as follows:
>
> HOME_NET 10.50.1.0/24
>
> EXTERNAL_NET any
>
> However, when I launch an attack (Teardrop, NewTear) from my home
> network to the external network, SNORT detects it!! If I look the
> Teardrop rule, it is written this way:
>
> [...] $EXTERNAL_NET -> $HOME_NET [...]
>
> Thus, it only will be applied for traffic that goes from the
> External_Net to the Home_Net!
> I don't understand how it can detect it if the attack goes
> from my home
> network to the external network. Did I miss something?
>
> Thanks in advance for your help!
> Daniel Lopez
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users