Snort mailing list archives
Re: HOME_NET, EXTERNAL_NET, ipvar unwanted triggered rules
From: David Smith <DSmith () smhcems org>
Date: Fri, 9 Jun 2017 17:43:20 +0000
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5;) This alert is being triggered each time a dns request is happening between to machines with the $HOME_NET subnets Thanks for the quick reply -----Original Message----- From: Al Lewis (allewi) [mailto:allewi () cisco com] Sent: Friday, June 9, 2017 11:39 AM To: David Smith <DSmith () smhcems org>; snort-users () lists sourceforge net Subject: Re: [Snort-users] HOME_NET, EXTERNAL_NET, ipvar unwanted triggered rules Hello, Do you have any example traffic? Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 6/9/17, 12:32 PM, "David Smith" <DSmith () smhcems org> wrote:
Members, ENV: Ubuntu 16.04, Snort V 2.9.9.0, Barnyard2 V 2.1.14, PulledPork 0.7.3, BASE 1.4.5 Snort rules, pulled in from PulledPork are being triggered from addresses within the defined HOME_NET as if they are part of the EXTERNAL_NET, which is causing unwanted alerts. Snort.conf: ipvar HOME_NET [192.168.1.0/24,192.168.3.0/24] ipvar EXTERNAL_NET !$HOME_NET Rule example: alert tcp $EXTERNAL_NET any -> $HOME_NET 53......... Can't find anything in docs or web that has solved this issue for me. Thoughts or ideas? Thanks! Dave Smith ----------------------------------------------------------------------- ------- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- HOME_NET, EXTERNAL_NET, ipvar unwanted triggered rules David Smith (Jun 09)
- <Possible follow-ups>
- Re: HOME_NET, EXTERNAL_NET, ipvar unwanted triggered rules Al Lewis (allewi) (Jun 09)
- Re: HOME_NET, EXTERNAL_NET, ipvar unwanted triggered rules David Smith (Jun 09)