Snort mailing list archives

Re: home_net

From: "Basil Saragoza" <snortlst () hotmail com>
Date: Fri, 8 Mar 2002 16:17:46 -0500

THanks for the warning, address I posted only looks real, it is not my
firewall, and I beleive nobody's else :-)
----- Original Message -----
From: "John Sage" <jsage () finchhaven com>
To: "Basil Saragoza" <snortlst () hotmail com>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, March 08, 2002 1:28 PM
Subject: Re: [Snort-users] home_net

On Fri, Mar 08, 2002 at 12:30:43PM -0500, Basil Saragoza wrote:

When I set home_net in snort.conf to ip address of my firewall

everything is

fine.
When I set it to 215.124.175.132/26 then I see onl;y ICMP traffic.....
(external_net set to any)
Any reason for such behaviour on snort?
What is the correlation between home_net and external_net?


Several thoughts:

1) I would **never** actually post a live IP address, or IP address
range to a mail list -- obfuscate it -- we don't need to know the
actual IP address you've got to work with, and neither does anyone
else...


2) 215.124.175.132/26 corresponds to this:

Address:   215.124.175.132       11010111.01111100.10101111.10 000100
Netmask:   255.255.255.192 == 26 11111111.11111111.11111111.11 000000
=>
Network:   215.124.175.128/26    11010111.01111100.10101111.10 000000

(Class C)

Broadcast: 215.124.175.191       11010111.01111100.10101111.10 111111
HostMin:   215.124.175.129       11010111.01111100.10101111.10 000001
HostMax:   215.124.175.190       11010111.01111100.10101111.10 111110
Hosts/Net: 62

the (useable) netblock from HostMin: 215.124.175.129 to a HostMax:
215.124.175.190 for a total of 62 hosts.

Is this what you're intending to do?


I have no idea as to why this (the *only*..?) change would suddenly
result in your seeing only icmp traffic.

Is this the only change you've made?


- John
--
Most people don't type their own logfiles;  but, what do I care?


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

HOME_NET Basil Saragoza (Feb 21)
- <Possible follow-ups>
- Re: HOME_NET Scott Taylor (Feb 21)
- HOME_NET NoLiMiT1961 (Mar 06)
- home_net Basil Saragoza (Mar 08)
  - Re: home_net John Sage (Mar 08)
    - Re: home_net Basil Saragoza (Mar 08)
    - Re: home_net Phil Wood (Mar 08)
    - Re: home_net John Sage (Mar 08)