Does setting HOME_NET have any effect in Stealth mode?

[Rob Ward <rob.ward () liverpool ac uk>]

Hi,

I've been trying out Snort on a problem network (I'm a newbie!) that sees a 
lot of P2P traffic and DOS/DDOS attacks. I'm running Net BSD 1.6.2_STABLE 
and snort-2.2.0. The interface I'm using to monitor the network is 
connected to a SPAN port and running in promiscuous mode with no IP 
configuration. Another interface is used solely for managing the box with 
IP configured.

When I set "HOME_NET" to anything other than 'any' I no longer see any DOS 
or DDOS alerts but P2P alerts are still output. I've tried following the 
configuration examples in the FAQ's etc and can't get it to work. I'm 
wondering if HOME_NET has any relevance when running snort in 'stealth' or 
am I wide of the mark?

Also - can snort cope with variable length subnet masks?

Regards

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department

Tel: 0151 794 4449
Fax: 0151 794 4442
Mob: 07970 247 326


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users