Home_net & external_net

["Jeremy Finke" <Jeremy.Finke () MeridianIQ com>]

I have something that is driving me crazy.

I have alerts going off from within two different segments of my
HOME_NET.  I don't understand why I am seeing these.  Here are the 2
lines from my snort.conf:

var HOME_NET [192.168.40.0/24,192.168.41.0/24,10.14.0.0/16]
var EXTERNAL_NET [any,!192.168.40.0/24,!10.14.0.0/16]

I have an alert from 10.14.1.50 going to 192.168.40.65 that is SNMP
request udp.  Why is that showing up?  Since they are both HOME_NET
networks, shouldn't snort not log this type of activity?

I also have other examples:
 <<Picture (Metafile)>>  <<Picture (Metafile)>> #7-(2-1418)
<acid_qry_alert.php?submit=%237-%282-1418%29&sort_order=>  [arachnids
<http://www.whitehats.com/info/ids311> ][snort
<http://www.snort.org/snort-db/sid.html?sid=466> ] ICMP L3retriever Ping
2002-12-05 18:13:15 10.14.1.50
<acid_stat_ipaddr.php?ip=10.14.1.50&netmask=32>  192.168.40.67
<acid_stat_ipaddr.php?ip=192.168.40.67&netmask32>  ICMP 
 <<Picture (Metafile)>>  <<Picture (Metafile)>> #9-(2-1426)
<acid_qry_alert.php?submit=%239-%282-1426%29&sort_order=>  [cve
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0619> ][icat
<http://icat.nist.gov/icat.cfm?cvename=CAN-1999-0619> ][arachnids
<http://www.whitehats.com/info/ids08> ][snort
<http://www.snort.org/snort-db/sid.html?sid=716> ] TELNET access
2002-12-05 18:15:41 192.168.40.53
<acid_stat_ipaddr.php?ip=192.168.40.53&netmask=32> :23 10.14.14.182
<acid_stat_ipaddr.php?ip=10.14.14.182&netmask32> :1925 
Thanks!


Jeremy T. Finke
Systems Engineer
Meridian IQ