Snort mailing list archives
Re: HOMENET IP exclusions
From: Nogwai <nogwai () gwaimo fr>
Date: Tue, 13 Mar 2012 10:02:37 +0100
EXTERNAL_NET is set to : var EXTERNAL_NET !$HOME_NET I've read somewhere that exclusions in the HomeNet are kinda incompatible with External_Net. Is it the problem ? If yes, and assuming I set my variables like this : var HOMENET [10.0.0.0/8,99.0.0.0/16<http://10.0.0.0/8,99.0.0.0/16,%21%5B10.9.0.0/16,99.0.17.0/24%5D> ] var EXTERNAL_NET !$HOME_NET ![10.9.0.0/16,99.0.17.0/24] I'll NOT see alerts coming from excluded IP, right? 2012/3/12 Jason Wallace <jason.r.wallace () gmail com>
What is $EXTERNAL_NET set to? On Mon, Mar 12, 2012 at 1:07 PM, Nogwai <nogwai () gwaimo fr> wrote:Hi there, I am trying to exclude some IP/IP range from HOMENET variables. Basicly,Idon't want to see any alerts coming from some single IP(s) and completeIPpools. So I've configured my HOMENET like this (in snort.ethX.conf) : var HOMENET [10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]<http://10.0.0.0/8,99.0.0.0/16,%21[10.9.0.0/16,99.0.17.0/24]>]It appears that I have a lot of traffic coming from interface eth1. SoI'vemanaged to split the single snort process in three separate processrunningon interfaces eth1:1, eth1:2 and eth1:3 (with different rule-sets oneach).And replicate the HOMENET variable in each snort.eth1:x.conf. Looking at snort process, HOMENET variable seems to be not taken from my snort.eth1:x.conf files but snort.debian.conf (I'm running Alienvault OpenSource SIEM - OSSIM v3.0, based on Debian 5.0.8 and Snort 2.9.0.4). So I've modified the DEBIAN_SNORT_HOME_NET to look like this : DEBIAN_SNORT_HOME_NET="10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]<http://10.0.0.0/8,99.0.0.0/16,%21[10.9.0.0/16,99.0.17.0/24]> "And then, Snort don't want to restart : FATAL ERROR: /etc/snort/rules/emerging-dns.rules => Negated IP rangesthatare equal to or are more-general than non-negated ranges are not allowed. Consider inverting the logic: $EXTERNAL_NET. Looking for some hints, I came across this (http://seclists.org/snort/2010/q3/674), this (http://seclists.org/snort/2009/q3/267) and read README.variables. Butstilllost. Don't know if the problem is Debian or Snort related... Actually, I play with CIDR to exclude the above IP inside the snort.debian.conf file. But this is a bit painful to maintain and Ireceivedsome new exclusions to add to the list every week. I'll appreciate some light on this :) Greetings, Nogwai------------------------------------------------------------------------------Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- HOMENET IP exclusions Nogwai (Mar 12)
- Re: HOMENET IP exclusions Jason Wallace (Mar 12)
- Re: HOMENET IP exclusions Nogwai (Mar 13)
- Re: HOMENET IP exclusions Heine Lysemose (Mar 13)
- Re: HOMENET IP exclusions Jason Wallace (Mar 13)
- Re: HOMENET IP exclusions Nogwai (Mar 13)
- Re: HOMENET IP exclusions Nogwai (Mar 13)
- Re: HOMENET IP exclusions Jason Wallace (Mar 12)