Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: HOME_NET not supporting multiple subnets?!

From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
Date: Tue, 20 Aug 2002 08:15:11 +0200
Hi Jon,

try omitting the spaces in your list and it should work.

HTH,
Sandro


Hi all,

I've setup Snort + MySQL + Acid on a RH 7.3 box using RPMs 
and the Snort
Installation Manual as a guide.

There are just FAR too many alerts being logged and mostly 
false positives
with the default setup.  So I attempted to setup the HOME_NET 
appropriately.

However it seems to me that it only uses the FIRST subnet 
when specifying
more then one subnet.

Eg. If HOME_NET were defined as:
var HOME_NET [10.10.1.0/24, 10.10.2.0/24, 10.10.3.64/27, 10.10.4.1/27,
10.10.5.0/24]
it would only generate alerts for packets destined for 10.10.1.0/24
reliably.

There may be the odd packet that gets logged for the 
remaining subnets but
it is definitely missing test traffic that I'm generating 
from an external
network.

Eg.
wget
"10.10.5.46/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1
%1c../..%c1%1c
../winnt/system32/cmd.exe?/c+dir"
fails to log an alert where as:
wget
"10.10.1.96/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1
%1c../..%c1%1c
../winnt/system32/cmd.exe?/c+dir"
would log an alert as expected

My problem is I have 10 different subnets I need to watch 
(real ones not the
examples given) and the default of "any" is, as mentioned, 
far too noisy.

Any/all suggestions would be most welcome.


Jon Benson
Mail/DNS Administrator
OzHosting.com


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: