[Snort-users] Multiple HOME_NET IP's

Jim Burnes jburnes at ...75...
Fri Aug 11 18:23:29 EDT 2000

On Fri, 11 Aug 2000, Daniel van Balen wrote:

> On Fri, Aug 11, 2000 at 12:04:41PM -0500, Andy Beal wrote:
> > Greetings,
> > 
> > How about 2 Completely different HOME_NET subnets, such as and, how would I get this done?   Will some sort of Boolean And work inside the variable, it seems that the rules will/should interpret correctly, but I could be wrong.   
> > 
> > 
> 	This is what you want:
> var HOME_NET
> include <the rule file>
> var HOME_NET
> include <the rule file>
> ... and so on and so forth...

The problem with this is that all the rules which monitor
traffic from !HOME_NET will only match on one instance.

For example:  Assume you want to look for FTP connections
coming into your site.

If the home nets are and then the

log traffic ftp from !HOME_NET to HOME_NET (pseudo rule)

... only works for a *specific* value of HOME_NET.  When you load the
rulebase for, !HOME_NET= is true (and also wrong).

Only real solution is to create the notion of network
objects.  Collections of things to match on.

I have found a solution that creates a BPF filter that
filters out anything that isnt from one of the home_nets
to somewhere thats not a home_net (and vice-versa).  That
way you will never see traffic from to  Its
ugly, but it works.  The downside is that for any significant
number of homenets the rulebase become huge.

good luck,

jim burnes

More information about the Snort-users mailing list