Snort mailing list archives
Re: HOME_NET and EXTERNAL_NET
From: "JAMIE CRAWFORD" <crawford () cmsu1 cmsu edu>
Date: Wed, 01 Dec 2004 16:14:32 -0600
Thanks for the information everyone. I'll try this out. Here are the most common alerts in a half a second span. thanks again, jamie [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] 12/01-16:05:13.083149 192.168.53.169:4536 -> 207.188.24.156:80 TCP TTL:126 TOS:0x0 ID:58566 IpLen:20 DgmLen:1114 DF ***AP*** Seq: 0x5337F75E Ack: 0x41F6E98F Win: 0xFAF0 TcpLen: 20 [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**] 12/01-16:05:13.163773 192.168.170.64:3686 -> 192.168.253.3:80 TCP TTL:126 TOS:0x0 ID:36746 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x2ED5003C Ack: 0xE43B1645 Win: 0x4470 TcpLen: 20 [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**] 12/01-16:05:13.309453 192.168.186.71:4887 -> 64.94.137.55:80 TCP TTL:126 TOS:0x0 ID:46539 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x7EE9A60D Ack: 0x5236B9F4 Win: 0x4470 TcpLen: 20 [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**] 12/01-16:05:13.313225 192.168.170.64:3688 -> 192.168.253.3:80 TCP TTL:126 TOS:0x0 ID:36769 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x39DAAF24 Ack: 0xE3A153A3 Win: 0x4470 TcpLen: 20 [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] 12/01-16:05:13.404388 192.168..48.117:4195 -> 206.190.44.82:80 TCP TTL:126 TOS:0x0 ID:6660 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xC40EB62C Ack: 0xA76456C1 Win: 0xF9A7 TcpLen: 20
Tim Slighter <tslighter () itc nrcs usda gov> 12/01/04 04:42PM >>>
It might help too to tell us what alerts are firing off for this particular config. Many SNMP, WEB, and other rules files will fire off alerts for the $HOME_NET whenever a connection is either intitiated outbound or if a valid incoming connection dynamically uses a port that fires a backdoor.rules TCP/UDP port JAMIE CRAWFORD wrote:
Hi, I'm a little frustrated on getting snort setup right. I have my var HOME_NET [192.168.1.0/24,192.168.2.0/24] and my var EXTERNAL_NET [!192.168.0.0/16], but for some reason I'm still getting alerts
coming
from my own home networks class b address (192.168.0.0/16). I don't
care
about my class b, just attacks made toward my two class c networks. I've tried var EXTERNAL_NET !192.168.0.0/16 I've tried var EXTERNAL_NET ![192.168.0.0/16] any help is appreciated. thanks, jamie ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real
users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- RE: HOME_NET and EXTERNAL_NET M. Shirk (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- Re: HOME_NET and EXTERNAL_NET M. Shirk (Dec 02)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- <Possible follow-ups>
- RE: HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- RE: HOME_NET and EXTERNAL_NET Paul Schmehl (Dec 01)
- Re: HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Matt Kettler (Dec 01)
- RE: HOME_NET and EXTERNAL_NET Joe Patterson (Dec 01)
- HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 02)
- RE: HOME_NET and EXTERNAL_NET M. Shirk (Dec 01)