[Snort-users] HOME_NETS

Robert Lister robl at ...3383...
Tue Sep 18 15:32:02 EDT 2001


I am still having difficulty making this do what I want.

If I add anything more to HOME_NETS, it ignores the first statement
and my monitoring system which pings the host periodically, gets logged
as an alert.

We have a /23. It didn't like that, (snort ignored it) so I added it as
two /24s instead, which it liked. But we have an additional couple of IP
addresses that I want to add, but when I add any more to the HOME_NET
line, it ignores the first /24.

What am I doing wrong?

My home_net is set like this. I have the rules that I downloaded with a
more or less default config file:

var HOME_NET [192.168.233.0/24,192.168.232.0/24,192.168.225.252]

I've also tried:

var HOME_NET [192.168.233.0/24,192.168.232.0/24,192.168.225.252/32]

Snort still logs:

[**] [1:480:1] ICMP PING speedera [**]
09/18-23:24:37.354250 192.168.233.2 -> 192.168.225.252
ICMP TTL:252 TOS:0x0 ID:51660 IpLen:20 DgmLen:128 DF
Type:8  Code:0  ID:27243   Seq:1792  ECHO

Now, if I remove "192.168.225.252" from the end of this line, all is okay,
and the pings from 192.168.233.2 don't get logged (snort instead starts
logging another flase alert!)



On Mon, Sep 10, 2001 at 03:06:57PM +0100, Robert Lister wrote:
> 
> Hmm,
> 
> 
> I've recently installed snort and it's working; just a problem in that
> it seems to be ignoring the setting for HOME_NETS.
> 
> I've got something like this (but with real IPs):
> 
> var HOME_NET [192.168.232.0/23,192.168.224.3/32]
> 
> I've also tried it without the /32 suffix.
> 
> However, whatever I set, it seems to be ignoring one or other bit
> of it. I've got no spaces between the addresses etc.
> 
> What am I doing wrong?
> 
> It's still trapping our monitoring system which is on the first
> of the two statements.
> 
> Regards,
> 


-- 
Robert Lister    -        robl at ...3383...    -    http://www.lentil.org
                                                  tel: 07973-815198
fractures aren't all they're cracked up to be.




More information about the Snort-users mailing list