Snort mailing list archives
RE: detect that shouldn't be detected!
From: "Daniel Lopez" <dlopez () tct hut fi>
Date: Fri, 2 Aug 2002 19:56:00 +0300
Hi Gammon!
You might want to try setting EXTERNAL_NET !HOME_NET
You wanted to say: EXTERNAL_NET !$HOME_NET , no? ;-) Anyway, as Tom Sevy and you advised me to do, I set the EXTERNAL_NET to !$HOME_NET. By doing that, SNORT shouldn't be able to detect attacks launched from my Home Network, and this for rules which are written this way: [...] $EXTERNAL_NET -> $HOME_NET [...] This is right? Well, I did some tests, and here are my results. I launched a NewTear attack (a variant of the Teardrop DoS attack) from a computer that belongs my home network (so inside 10.50.1.0/24) to the external network (10.50.0.0/24). Because I set the EXTERNAL_NET to !$HOME_NET, SNORT shouldn't detect this attack, no? Well, SNORT detected it!! Funny thing! And my HOME_NET and EXTERNAL_NET are set to: var HOME_NET 10.50.1.0/24 var EXTERNAL_NET !$HOME_NET Then, I launched some other attacks (No DoS and DDoS) from the same computer (10.50.1.130) to a computer in my external network. Here, SNORT didn't detect them.... However, my first idea was to set these two variables to be able to detect attacks launched from: .my Home Net to my Home Net .the External net to my Home net This is the reason why I set these variables to: var HOME_NET 10.50.1.0/24 var EXTERNAL_NET any And with this configuration, I have the problem that I decribed in my previous emails... Thus, I still don't understand why SNORT detects these DoS and DDoS attacks that are launched from my home network to the external network, even if my EXTERNAL_NET is configured as "any" or "!$HOME_NET"... Somebody can tell me what is wrong please? :-/
-----Original Message----- From: Daniel Lopez [mailto:dlopez () tct hut fi] Sent: Thursday, August 01, 2002 4:49 PM To: snort-users () lists sourceforge net Subject: [Snort-users] detect that shouldn't be detected! Hello, Currently, I'm doing some tests on Snort. I'm using two LANs. One recreates the External network. The network address is: 10.50.0.0/24. The second LAN is my home network. The network address is: 10.50.1.0/24 They are interconnected via a router. I wanted to be able to get attacks going from the External network to my Home network, and attacks going from my Home network to the other computers in my Home network. The SNORT box is in the home network. Computers and SNORT box are connected through a HUB. I configured the HOME_NET and EXTERNAL_NET variables as follows: HOME_NET 10.50.1.0/24 EXTERNAL_NET any However, when I launch an attack (Teardrop, NewTear) from my home network to the external network, SNORT detects it!! If I look the Teardrop rule, it is written this way: [...] $EXTERNAL_NET -> $HOME_NET [...] Thus, it only will be applied for traffic that goes from the External_Net to the Home_Net! I don't understand how it can detect it if the attack goes from my home network to the external network. Did I miss something? Thanks in advance for your help! Daniel Lopez ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- detect that shouldn't be detected! Daniel Lopez (Aug 01)
- <Possible follow-ups>
- RE: detect that shouldn't be detected! Daniel Lopez (Aug 01)
- RE: detect that shouldn't be detected! Daniel Lopez (Aug 02)
- RE: detect that shouldn't be detected! Daniel Lopez (Aug 02)