[Snort-users] detect that shouldn't be detected!

Daniel Lopez dlopez at ...6134...
Thu Aug 1 14:49:05 EDT 2002


Hello,

Currently, I'm doing some tests on Snort. I'm using two LANs. One
recreates the External network. The network address is: 10.50.0.0/24.
The second LAN is my home network. The network address is: 10.50.1.0/24
They are interconnected via a router. I wanted to be able to get attacks
going from the External network to my Home network, and attacks going
from my Home network to the other computers in my Home network.
The SNORT box is in the home network. Computers and SNORT box are
connected through a HUB. I configured the HOME_NET and EXTERNAL_NET
variables as follows:

HOME_NET 10.50.1.0/24

EXTERNAL_NET any

However, when I launch an attack (Teardrop, NewTear) from my home
network to the external network, SNORT detects it!! If I look the
Teardrop rule, it is written this way:

[...] $EXTERNAL_NET -> $HOME_NET [...]

Thus, it only will be applied for traffic that goes from the
External_Net to the Home_Net!
I don't understand how it can detect it if the attack goes from my home
network to the external network. Did I miss something?

Thanks in advance for your help!
Daniel Lopez






More information about the Snort-users mailing list