Snort mailing list archives
Re: Does setting HOME_NET have any effect in Stealth mode?
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Wed, 03 Nov 2004 11:45:27 +0000
--On 03 November 2004 10:52 +0000 Rob Ward <rob.ward () liverpool ac uk> wrote:
Thanks Alex, --On 03 November 2004 10:19 +0000 "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk> wrote:--On 02 November 2004 13:05 +0000 Rob Ward <rob.ward () liverpool ac uk> wrote:When I set "HOME_NET" to anything other than 'any' I no longer see any DOS or DDOS alerts but P2P alerts are still output.Depending on how the P2P rules in question are written, that will still be the case. If you don't want to know which of your hosts in $HOME_NET are using P2P services, why do you have the rules enabled?I do want to see these but they're output regardless of what I set HOME_NET to.
No, if you take a look at the rules, they're still triggering because the source addresses are still in $HOME_NET, or the rule in question is using the <> bi-directional operator. By setting $HOME_NET, you will be eliminating most P2P alerts generated by non-$HOME_NET hosts. Chances are, like most academic networks, you've got lots of P2P users, though.
The thing is I also want to see the DOS and DDOS alerts but these stop being output when I use anything other than "var HOME_NET any"? I'd hoped that setting HOME_NET and EXTERNAL_NET would cut down the load on my box - which it does but if the DOS and DDOS alerts are no longer output then it defeats the object!
It appears most of the DOS rules only trigger if they're targeted *at* $HOME_NET. You presumably want to see attacks sent *by* $HOME_NET - in which case, you'll need to replace $HOME_NET with 'any' (possibly by using Oinkmaster's 'modifysid' function) by editing the (D)DOS rules.
Read the rules, and it'll all make sense. Honest.
Rob Ward
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Michael Boman (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Michael Boman (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Alex Butcher, ISC/ISYS (Nov 04)
- Re: Does setting HOME_NET have any effect in Stealth mode? Michael Boman (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Alex Butcher, ISC/ISYS (Nov 03)
- Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 03)
- Re: Does setting HOME_NET have any effect in Stealth mode? Alex Butcher, ISC/ISYS (Nov 03)
- Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 03)