Re: HOMENET IP exclusions

[Nogwai <nogwai () gwaimo fr>]

EXTERNAL_NET is set to :

var EXTERNAL_NET !$HOME_NET

I've read somewhere that exclusions in the HomeNet are kinda incompatible
with External_Net. Is it the problem ?
If yes, and assuming I set my variables like this :

var HOMENET [10.0.0.0/8,99.0.0.0/16<http://10.0.0.0/8,99.0.0.0/16,%21%5B10.9.0.0/16,99.0.17.0/24%5D>
]
var EXTERNAL_NET !$HOME_NET ![10.9.0.0/16,99.0.17.0/24]

I'll NOT see alerts coming from excluded IP, right?

2012/3/12 Jason Wallace <jason.r.wallace () gmail com>

> What is $EXTERNAL_NET set to?
>
> On Mon, Mar 12, 2012 at 1:07 PM, Nogwai <nogwai () gwaimo fr> wrote:
> > Hi there,
> >
> > I am trying to exclude some IP/IP range from HOMENET variables. Basicly,
> I
> > don't want to see any alerts coming from some single IP(s) and complete
> IP
> > pools.
> > So I've configured my HOMENET like this (in snort.ethX.conf) :
> >
> > var HOMENET 
> > [10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]<http://10.0.0.0/8,99.0.0.0/16,%21[10.9.0.0/16,99.0.17.0/24]>
> ]
> > It appears that I have a lot of traffic coming from interface eth1. So
> I've
> > managed to split the single snort process in three separate process
> running
> > on interfaces eth1:1, eth1:2 and eth1:3 (with different rule-sets on
> each).
> > And replicate the HOMENET variable in each snort.eth1:x.conf.
> >
> > Looking at snort process, HOMENET variable seems to be not taken from my
> > snort.eth1:x.conf files but snort.debian.conf (I'm running Alienvault
> > OpenSource SIEM - OSSIM v3.0, based on Debian 5.0.8 and Snort 2.9.0.4).
> > So I've modified the DEBIAN_SNORT_HOME_NET to look like this :
> >
> > DEBIAN_SNORT_HOME_NET="
> 10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]<http://10.0.0.0/8,99.0.0.0/16,%21[10.9.0.0/16,99.0.17.0/24]>
> "
> > And then, Snort don't want to restart :
> >
> > FATAL ERROR: /etc/snort/rules/emerging-dns.rules => Negated IP ranges
> that
> > are equal to or are more-general than non-negated
> > ranges are not allowed. Consider inverting the logic: $EXTERNAL_NET.
> >
> >
> > Looking for some hints, I came across this
> > (http://seclists.org/snort/2010/q3/674), this
> > (http://seclists.org/snort/2009/q3/267) and read README.variables. But
> still
> > lost. Don't know if the problem is Debian or Snort related...
> >
> > Actually, I play with CIDR to exclude the above IP inside the
> > snort.debian.conf file. But this is a bit painful to maintain and I
> received
> > some new exclusions to add to the list every week. I'll appreciate some
> > light on this :)
> >
> >
> > Greetings,
> > Nogwai
> ------------------------------------------------------------------------------
> > Try before you buy = See our experts in action!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-dev2
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!