[Snort-users] detect that shouldn't be detected!
dlopez at ...6134...
Thu Aug 1 16:14:41 EDT 2002
Yes, but my HOME_NET is still set to 10.50.1.0/24. So, even if my home
network address is included in the EXTERNAL variable because I'm using
any, I'm launching the attack from 10.50.1.x -> 10.50.0.X
10.50.0.x is not an IP address that belongs to my Home network.
Am I still missing something? :-/
> That is right. Because 10.50.1.0 is included in your EXTERNAL network
> Try changing EXERNAL_NET to !$HOME_NET
> -----Original Message-----
> From: Daniel Lopez [mailto:dlopez at ...6134...]
> Sent: Thursday, August 01, 2002 4:49 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] detect that shouldn't be detected!
> Currently, I'm doing some tests on Snort. I'm using two LANs. One
> recreates the External network. The network address is: 10.50.0.0/24.
> The second LAN is my home network. The network address is:
> They are interconnected via a router. I wanted to be able to
> get attacks
> going from the External network to my Home network, and attacks going
> from my Home network to the other computers in my Home network.
> The SNORT box is in the home network. Computers and SNORT box are
> connected through a HUB. I configured the HOME_NET and EXTERNAL_NET
> variables as follows:
> HOME_NET 10.50.1.0/24
> EXTERNAL_NET any
> However, when I launch an attack (Teardrop, NewTear) from my home
> network to the external network, SNORT detects it!! If I look the
> Teardrop rule, it is written this way:
> [...] $EXTERNAL_NET -> $HOME_NET [...]
> Thus, it only will be applied for traffic that goes from the
> External_Net to the Home_Net!
> I don't understand how it can detect it if the attack goes
> from my home
> network to the external network. Did I miss something?
> Thanks in advance for your help!
> Daniel Lopez
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users