Re: $HOME_NET

[Erek Adams <erek () snort org>]

On Sun, 6 Apr 2003, Keg wrote:

> I guess I miss something.......
> I have 3 network segments #1, #2, and #3. $HOME_NET is set to #1.
> When I scan #1 with Nessus I get a lot of alerts logged.
> When I scan #2 with Nessus I get just a little bit of alerts
> When I add #2 to $HOME_NET (so it looks like $HOME_NET [#1/24,#2/24) I
> 'm starting to get a lot of alerts.
>
> Hence 2 questions:
> 1. Is there any difference how snort treats netwqorks if they are not
> included in $HOME_NET?
> 2. Should I include all network segments I have in $HOME_NET?

When you're refering to portscans, are you refering to the one of the
portscan preprocessors, stream4 or some of the rules?  $HOME_NET has
nothing to do with any of those except for the rules.

Where are you scanning _from_?  If you're scanning from inside of #1, then
you won't see any alerts from the rules, but you may see them from one of
the preprocessors.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users