[Snort-users] Multiple HOME_NET IP's

Jim Burnes jburnes at ...75...
Fri Aug 11 18:23:29 EDT 2000


On Fri, 11 Aug 2000, Daniel van Balen wrote:

> On Fri, Aug 11, 2000 at 12:04:41PM -0500, Andy Beal wrote:
> > Greetings,
> > 
> > How about 2 Completely different HOME_NET subnets, such as   192.168.0.0/24 and 10.0.0.0/8, how would I get this done?   Will some sort of Boolean And work inside the variable, it seems that the rules will/should interpret correctly, but I could be wrong.   
> > 
> > 
> 
> 	This is what you want:
> 
> var HOME_NET 192.168.0.0/24
> include <the rule file>
> var HOME_NET 10.0.0.0/8
> include <the rule file>
> ... and so on and so forth...
> 

The problem with this is that all the rules which monitor
traffic from !HOME_NET will only match on one instance.

For example:  Assume you want to look for FTP connections
coming into your site.

If the home nets are 10.10.10.0 and 10.10.9.0 then the
rule:

log traffic ftp from !HOME_NET to HOME_NET (pseudo rule)

... only works for a *specific* value of HOME_NET.  When you load the
rulebase for 10.10.10.0, !HOME_NET=10.10.9.0 is true (and also wrong).

Only real solution is to create the notion of network
objects.  Collections of things to match on.

I have found a solution that creates a BPF filter that
filters out anything that isnt from one of the home_nets
to somewhere thats not a home_net (and vice-versa).  That
way you will never see traffic from 10.10.9.0 to 10.10.10.0.  Its
ugly, but it works.  The downside is that for any significant
number of homenets the rulebase become huge.

good luck,

jim burnes






More information about the Snort-users mailing list