Snort mailing list archives

Re: snort.conf

From: spiv007 <spiv007 () gmail com>
Date: Fri, 14 Jan 2005 11:50:54 -0500

Im using bleeding rules.


On Fri, 14 Jan 2005 10:02:36 -0600, Paul Schmehl <pauls () utdallas edu> wrote:

--On Friday, January 14, 2005 09:39:10 AM -0500 spiv007 <spiv007 () gmail com>
wrote:

HOME_NET -> [192.168.0.0/24]
EXTERNAL_NET !$HOME_NET

So by doing the above i'm jusr letting snort now 192.168.0.0 is mu
home network and my external is any but my "home_network"  and snort
will still report problems on my home network too.

I think you're confused about what snort does.  Snort simply sniffs packets
and reports any that match a rule that you've enabled in the snort.conf
file.

When you define HOME_NET as 192.168.0.0/24, that value is used in every
rule where the variable $HOME_NET is used.  (Look at the rules to see what
I mean.)

When you define EXTERNAL_NET as !$HOME_NET, that means that EXTERNAL_NET
will match *all* addresses that are *not* in the network 192.168.0.0/24.

What that *means* to snort depends upon which rule you are referring to.
Some rules have the following traffic flow:
$EXTERNAL_NET any -> $HOME_NET any

This means that any traffic *not* originating on 192.168.0.0/24 that is
destined for 192.168.0.0/24 *and* matches that rule will trigger an alert.

Other snort rules have the reverse traffic flow and will only alert on
traffic *leaving* your network.

When you ask, will snort "still report problems on my home network too",
the answer depends entirely on where the traffic originates, what rule you
are referring to and where your snort sensor is located with reference to
the origination and destination points.

IOW, your question is impossible to answer without knowing a great deal
more.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu



-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: snort.conf, (continued)
- Re: snort.conf Paul Schmehl (Jan 13)
- Re: snort.conf Jose Maria Lopez (Jan 13)
- snort.conf spiv007 (Jan 13)
- RE: snort.conf Esler, Joel - Contractor (Jan 13)
  - RE: snort.conf Paul Schmehl (Jan 13)
- RE: snort.conf Esler, Joel - Contractor (Jan 13)
  - Re: snort.conf spiv007 (Jan 13)
    - Re: snort.conf Frank Knobbe (Jan 13)
    - Re: snort.conf spiv007 (Jan 14)
    - Re: snort.conf Paul Schmehl (Jan 14)
    - Re: snort.conf spiv007 (Jan 14)
    - Re: snort.conf Leon Ward (Jan 14)
    - Re: snort.conf spiv007 (Jan 14)