[Snort-users] defining $HOME_NET

Phil Wood cpw at ...440...
Thu Oct 19 23:58:58 EDT 2000

I just had a thought (to which my dad always said, "treat it kindly, it's
in a strange place").

1. With a subset of the ruleset's (those all lined up in the same direction,
external to internal), like:

alert ICMP $EXTERNAL any -> $INTERNAL any (msg: "IDS116/SourceRoute-ICMP-lssr"; ipopts: lsrr ;)
alert TCP $EXTERNAL 113 -> $INTERNAL 25 (msg: "IDS139/SMTP-exploit869a"; flags: AP; content: "|0a|C|3a|daemon|0a|R";)

2. And a snort running on a transit network where your internal, cidr, and non
cidr networks are behind one or more of the routers;

3. And, EXTERNAL and INTERNAL are set to "any";

4. You could set the BPF filter (-F some-bpf-filter) to just feed snort the
uni-directional traffic that it understands, like so:

[contents of some-bpf-filter]

(tcp or udp or icmp) and dst net ( or or

You would just need one instance of snort and one rule for all the nets you
have, whatever the type!

Any takers?


On Thu, Oct 19, 2000 at 06:12:55PM -0500, Frank Knobbe wrote:
> Hash: SHA1
> If the homenets are not adjacent, you can always use 3 separate rule
> sets (that's how I'm running it). It's quite an overhead, though, so
> an option to define IP ranges would be nice, as in:  
> or
> Regards,
> Frank
> - -----Original Message-----
> From: Erik Engberg [mailto:Erik.Engberg at ...511...]
> Sent: Thursday, October 19, 2000 3:08 PM
> To: 'Steve Halligan'; 'Joanne Treurniet';
> Snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] defining $HOME_NET
> or /12 or /14, or /15 etc
> As long as the subnets are adjacent to each other you should have
> little trouble.. the problems start when they aren´t...
> On one installation I have snort sniffing on 5 class C nets that are
> adjacent
> xxx.xxx.240.0 - xxx.xxx.245.0
> But I have to use a /21 netmask to cover this in "one" net. 
> xxx.xxx.240.0/21
> Of course this means that xxx.xxx.246.0/24 and xxx.xxx.247.0/24 are
> considered my home_net as well but there´s no traffic whatsoever from
> those nets I can take that problem, although it wouldn´t be fun if
> they started messing with me or an attacker found that out. Damage
> wouldn´t be to great but visibility is hampered and you have to take
> that into consideration... 
> Best thing is that I have control and I can always deny those nets in
> my border router or firewall. Problem solved (although not so
> "neat").
> When are we getting support for multiple home_nets? Are we getting
> it?
> /Erik
> Version: PGP Personal Privacy 6.5.1
> Comment: PGP or S/MIME encrypted email preferred.
> iQA/AwUBOe9/90RKym0LjhFcEQI14wCgkXtlnuoNX6Ku7N5ZEsvV9uEktnMAnjC2
> 3wBf3rSn3kK4gR/ha8wZ4X5W
> =oAEq
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list