Snort mailing list archives
Re: Does setting HOME_NET have any effect in Stealth mode?
From: Rob Ward <rob.ward () liverpool ac uk>
Date: Wed, 03 Nov 2004 10:52:56 +0000
Thanks Alex,--On 03 November 2004 10:19 +0000 "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk> wrote:
--On 02 November 2004 13:05 +0000 Rob Ward <rob.ward () liverpool ac uk> wrote:When I set "HOME_NET" to anything other than 'any' I no longer see any DOS or DDOS alerts but P2P alerts are still output.Depending on how the P2P rules in question are written, that will still be the case. If you don't want to know which of your hosts in $HOME_NET are using P2P services, why do you have the rules enabled?
I do want to see these but they're output regardless of what I set HOME_NET to. The thing is I also want to see the DOS and DDOS alerts but these stop being output when I use anything other than "var HOME_NET any"? I'd hoped that setting HOME_NET and EXTERNAL_NET would cut down the load on my box - which it does but if the DOS and DDOS alerts are no longer output then it defeats the object!
I've tried following the configuration examples in the FAQ's etc andcan'tget it to work. I'm wondering if HOME_NET has any relevance when running snort in 'stealth' or am I wide of the mark?You're wide of the mark. Running the sniffing interface with no IP address has no interaction with HOME_NET, whether it's left at 'any' or not. :-)Also - can snort cope with variable length subnet masks?Looks like it, from reading the source for ParseIP() in parser/IpAddrSet.c. I'd be surprised if it doesn't handle VLSM flawlessly, just as I was surprised when Solaris still didn't back around '98/99 or so.Rob WardBest Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
Regards Rob Ward Network Northwest Support University of Liverpool Computing Services Department Tel: 0151 794 4449 Fax: 0151 794 4442 Mob: 07970 247 326 ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Michael Boman (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Michael Boman (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Alex Butcher, ISC/ISYS (Nov 04)
- Re: Does setting HOME_NET have any effect in Stealth mode? Michael Boman (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Alex Butcher, ISC/ISYS (Nov 03)
- Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 03)
- Re: Does setting HOME_NET have any effect in Stealth mode? Alex Butcher, ISC/ISYS (Nov 03)
- Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 03)