[Snort-users] rules precision

Erik Engberg Erik.Engberg at ...511...
Wed Oct 11 12:01:18 EDT 2000

You are correct in your assupmtions. 

There are 2 way you can do this:

1. Rewrite the rules you want to say ANY instead of HOME_NET or !HOME_NET.
If you want all, just use an editor that allows you to search and replace

2. Use for var HOME_NET. That way, all IP adresses will match
HOME_NET. Trouble is that rules including !HOME_NET will never match.

Many rules already consider that suspicious traffic would come from the
HOME_NET but in your case I´d advise you just to change the rules you want
to trigger from "!HOME_NET" to "any".


-----Original Message-----
From: Raphael Bauduin [mailto:rb at ...573...]
Sent: den 11 oktober 2000 12:40
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] rules precision


Here's how I'd like to use snort:
we have a private LAN (192.168) and I want to verify that there are no 
suspect activities on it. But a lot of suspect activity could come from a 
machine on the LAN. (some machines have a   public interface. So if an 
intruder cracks one of the machines with a public IP, he will try to go 
further on the private LAN and the suspect activity will come from HOME_NET)

My question is: I see a lot of rules that specify "from !HOME_NET". I
that if the suspect activity comes from a machine on my private lan, it
be detected... Is it usefull to rewrite all rules so they match "from 
HOME_NET"? Where can I look for rules usefull for my specific needs?

Thanks from your advices!


             |  -°)                        (°-  |
             |  /\\     Linux for ever     //\  |
             | _\_v                        v_/_ |

   If windows is the answer, it must have been a stupid question.
Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list