[Snort-users] defining $HOME_NET

Frank Knobbe FKnobbe at ...649...
Thu Oct 19 19:12:55 EDT 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If the homenets are not adjacent, you can always use 3 separate rule
sets (that's how I'm running it). It's quite an overhead, though, so
an option to define IP ranges would be nice, as in:  

var INTERNAL_NET	10.10.10.5:10.10.10.55
or
var INTERNAL_NET  10.10.10.0/24, 10.10.30.0/24


Regards,
Frank

- -----Original Message-----
From: Erik Engberg [mailto:Erik.Engberg at ...511...]
Sent: Thursday, October 19, 2000 3:08 PM
To: 'Steve Halligan'; 'Joanne Treurniet';
Snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] defining $HOME_NET


or /12 or /14, or /15 etc
As long as the subnets are adjacent to each other you should have
little trouble.. the problems start when they aren´t...
 
On one installation I have snort sniffing on 5 class C nets that are
adjacent
xxx.xxx.240.0 - xxx.xxx.245.0
 
But I have to use a /21 netmask to cover this in "one" net. 
xxx.xxx.240.0/21
 
Of course this means that xxx.xxx.246.0/24 and xxx.xxx.247.0/24 are
considered my home_net as well but there´s no traffic whatsoever from
those nets I can take that problem, although it wouldn´t be fun if
they started messing with me or an attacker found that out. Damage
wouldn´t be to great but visibility is hampered and you have to take
that into consideration... 
 
Best thing is that I have control and I can always deny those nets in
my border router or firewall. Problem solved (although not so
"neat").
 
When are we getting support for multiple home_nets? Are we getting
it?
 
/Erik
 
 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOe9/90RKym0LjhFcEQI14wCgkXtlnuoNX6Ku7N5ZEsvV9uEktnMAnjC2
3wBf3rSn3kK4gR/ha8wZ4X5W
=oAEq
-----END PGP SIGNATURE-----



More information about the Snort-users mailing list