RE: HOME_NET and EXTERNAL_NET

["Joe Patterson" <jpatterson () asgardgroup com>]

These are all coming from the http_inspect preprocessor, which doesn't care
about HOME_NET or EXTERNAL_NET.

There are several ways you could deal with this.  I'm not necessarily
suggesting them, but you could do it...

put a bpf filter on snort, along the lines of 'not src net 192.168.0.0/16',
or a bunch more filter expressions to whittle it down to only the sources
you want to exclude.

suppress all sid's for this generator.  include lines for each sid along the
lines of:
suppress gen_id 119, sig_id 13, track by-src, ip 192.168.0.0/16

Of course, you could always not run the http_inspect preprocessor, but that
would definitely be a bad idea.

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of JAMIE
> CRAWFORD
> Sent: Wednesday, December 01, 2004 5:15 PM
> To: tslighter () itc nrcs usda gov
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] HOME_NET and EXTERNAL_NET
>
>
> Thanks for the information everyone. I'll try this out.  Here are the
> most common alerts in a half a second span.
>
> thanks again,
> jamie
>
>
> [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**]
> 12/01-16:05:13.083149 192.168.53.169:4536 -> 207.188.24.156:80
> TCP TTL:126 TOS:0x0 ID:58566 IpLen:20 DgmLen:1114 DF
> ***AP*** Seq: 0x5337F75E  Ack: 0x41F6E98F  Win: 0xFAF0  TcpLen: 20
>
> [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**]
> 12/01-16:05:13.163773 192.168.170.64:3686 -> 192.168.253.3:80
> TCP TTL:126 TOS:0x0 ID:36746 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x2ED5003C  Ack: 0xE43B1645  Win: 0x4470  TcpLen: 20
>
> [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
> 12/01-16:05:13.309453 192.168.186.71:4887 -> 64.94.137.55:80
> TCP TTL:126 TOS:0x0 ID:46539 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x7EE9A60D  Ack: 0x5236B9F4  Win: 0x4470  TcpLen: 20
>
> [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**]
> 12/01-16:05:13.313225 192.168.170.64:3688 -> 192.168.253.3:80
> TCP TTL:126 TOS:0x0 ID:36769 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x39DAAF24  Ack: 0xE3A153A3  Win: 0x4470  TcpLen: 20
>
> [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**]
> 12/01-16:05:13.404388 192.168..48.117:4195 -> 206.190.44.82:80
> TCP TTL:126 TOS:0x0 ID:6660 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0xC40EB62C  Ack: 0xA76456C1  Win: 0xF9A7  TcpLen: 20
>
>
>
> > > > Tim Slighter <tslighter () itc nrcs usda gov> 12/01/04 04:42PM >>>
> It might help too to tell us what alerts are firing off for this
> particular config.  Many SNMP, WEB, and other rules files will fire off
>
> alerts for the $HOME_NET whenever a connection is either intitiated
> outbound or if a valid incoming connection dynamically uses a port that
>
> fires a backdoor.rules TCP/UDP port
>
> JAMIE CRAWFORD wrote:
>
> > Hi,
> > I'm a little frustrated on getting snort setup right.  I have my var
> > HOME_NET [192.168.1.0/24,192.168.2.0/24] and my var EXTERNAL_NET
> > [!192.168.0.0/16], but for some reason I'm still getting alerts
> coming
> > from my own home networks class b address (192.168.0.0/16). I don't
> care
> > about my class b, just attacks made toward my two class c networks.
> >
> > I've tried  var EXTERNAL_NET !192.168.0.0/16
> > I've tried  var EXTERNAL_NET ![192.168.0.0/16]
> >
> >
> > any help is appreciated.
> > thanks,
> > jamie
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real
> users.
> > Discover which products truly live up to the hype. Start reading now.
>
> > http://productguide.itmanagersjournal.com/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real
> users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users