HOME_NET not supporting multiple subnets?!

[Jon Benson <Jon () destra com>]

Hi all,

I've setup Snort + MySQL + Acid on a RH 7.3 box using RPMs and the Snort
Installation Manual as a guide.

There are just FAR too many alerts being logged and mostly false positives
with the default setup.  So I attempted to setup the HOME_NET appropriately.

However it seems to me that it only uses the FIRST subnet when specifying
more then one subnet.

Eg. If HOME_NET were defined as:
var HOME_NET [10.10.1.0/24, 10.10.2.0/24, 10.10.3.64/27, 10.10.4.1/27,
10.10.5.0/24]
it would only generate alerts for packets destined for 10.10.1.0/24
reliably.

There may be the odd packet that gets logged for the remaining subnets but
it is definitely missing test traffic that I'm generating from an external
network.

Eg.
wget
"10.10.5.46/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c
../winnt/system32/cmd.exe?/c+dir"
fails to log an alert where as:
wget
"10.10.1.96/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c
../winnt/system32/cmd.exe?/c+dir"
would log an alert as expected

My problem is I have 10 different subnets I need to watch (real ones not the
examples given) and the default of "any" is, as mentioned, far too noisy.

Any/all suggestions would be most welcome.


Jon Benson
Mail/DNS Administrator
OzHosting.com


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users