Snort mailing list archives
Re: ip's outside of HOME_NET showing up
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 08 Jul 2004 12:53:04 -0400
At 11:01 AM 7/8/2004, Adam Denenberg wrote:
I finally got my acid/mysql setup working well. However i have HOME_NET defined as my public range , say 24.100.100.0/24. However i am seeing tons of destination ip addresses outside of that. Shouldnt snort only be watching attacks destined for the HOME_NET network ?
Not necessarily. HOME_NET is just a macro that rules can use, it doesn't alter what snort itself examines.
Check the rules in question, or parameters to the preprocessors in question.Some rules look specifically for patterns coming FROM HOME_NET.. generally signs of worm infection, etc.
Many rules use HTTP_SERVERS, SQL_SERVERS, or SMTP_SERVERS instead of HOME_NET.Some rules, most notably a few tftp ones, look for any source and any destination IP.
------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training.Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ip's outside of HOME_NET showing up Adam Denenberg (Jul 08)
- Re: ip's outside of HOME_NET showing up Matt Kettler (Jul 08)
- Re: ip's outside of HOME_NET showing up Michael Sconzo (Jul 08)