Snort mailing list archives
Re: snort.conf
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 14 Jan 2005 10:02:36 -0600
--On Friday, January 14, 2005 09:39:10 AM -0500 spiv007 <spiv007 () gmail com> wrote:
I think you're confused about what snort does. Snort simply sniffs packets and reports any that match a rule that you've enabled in the snort.conf file.HOME_NET -> [192.168.0.0/24] EXTERNAL_NET !$HOME_NET So by doing the above i'm jusr letting snort now 192.168.0.0 is mu home network and my external is any but my "home_network" and snort will still report problems on my home network too.
When you define HOME_NET as 192.168.0.0/24, that value is used in every rule where the variable $HOME_NET is used. (Look at the rules to see what I mean.)
When you define EXTERNAL_NET as !$HOME_NET, that means that EXTERNAL_NET will match *all* addresses that are *not* in the network 192.168.0.0/24.
What that *means* to snort depends upon which rule you are referring to. Some rules have the following traffic flow:
$EXTERNAL_NET any -> $HOME_NET anyThis means that any traffic *not* originating on 192.168.0.0/24 that is destined for 192.168.0.0/24 *and* matches that rule will trigger an alert.
Other snort rules have the reverse traffic flow and will only alert on traffic *leaving* your network.
When you ask, will snort "still report problems on my home network too", the answer depends entirely on where the traffic originates, what rule you are referring to and where your snort sensor is located with reference to the origination and destination points.
IOW, your question is impossible to answer without knowing a great deal more.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort.conf spiv007 (Jan 12)
- Re: snort.conf Paul Schmehl (Jan 13)
- Re: snort.conf Jose Maria Lopez (Jan 13)
- <Possible follow-ups>
- snort.conf spiv007 (Jan 13)
- RE: snort.conf Esler, Joel - Contractor (Jan 13)
- RE: snort.conf Paul Schmehl (Jan 13)
- RE: snort.conf Esler, Joel - Contractor (Jan 13)
- Re: snort.conf spiv007 (Jan 13)
- Re: snort.conf Frank Knobbe (Jan 13)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf Paul Schmehl (Jan 14)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf Leon Ward (Jan 14)
- Re: snort.conf spiv007 (Jan 14)
- Re: snort.conf spiv007 (Jan 13)