[Snort-users] detect that shouldn't be detected!
dlopez at ...6134...
Fri Aug 2 09:57:02 EDT 2002
> You might want to try setting
> EXTERNAL_NET !HOME_NET
You wanted to say: EXTERNAL_NET !$HOME_NET , no? ;-)
Anyway, as Tom Sevy and you advised me to do, I set the EXTERNAL_NET to
By doing that, SNORT shouldn't be able to detect attacks launched from
my Home Network, and this for rules which are written this way: [...]
$EXTERNAL_NET -> $HOME_NET [...]
This is right?
Well, I did some tests, and here are my results. I launched a NewTear
attack (a variant of the Teardrop DoS attack) from a computer that
belongs my home network (so inside 10.50.1.0/24) to the external network
(10.50.0.0/24). Because I set the EXTERNAL_NET to !$HOME_NET, SNORT
shouldn't detect this attack, no?
Well, SNORT detected it!! Funny thing!
And my HOME_NET and EXTERNAL_NET are set to:
var HOME_NET 10.50.1.0/24
var EXTERNAL_NET !$HOME_NET
Then, I launched some other attacks (No DoS and DDoS) from the same
computer (10.50.1.130) to a computer in my external network. Here, SNORT
didn't detect them....
However, my first idea was to set these two variables to be able to
detect attacks launched from:
.my Home Net to my Home Net
.the External net to my Home net
This is the reason why I set these variables to:
var HOME_NET 10.50.1.0/24
var EXTERNAL_NET any
And with this configuration, I have the problem that I decribed in my
Thus, I still don't understand why SNORT detects these DoS and DDoS
attacks that are launched from my home network to the external network,
even if my EXTERNAL_NET is configured as "any" or "!$HOME_NET"...
Somebody can tell me what is wrong please? :-/
> -----Original Message-----
> From: Daniel Lopez [mailto:dlopez at ...6134...]
> Sent: Thursday, August 01, 2002 4:49 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] detect that shouldn't be detected!
> Currently, I'm doing some tests on Snort. I'm using two LANs. One
> recreates the External network. The network address is: 10.50.0.0/24.
> The second LAN is my home network. The network address is:
> They are interconnected via a router. I wanted to be able to
> get attacks
> going from the External network to my Home network, and attacks going
> from my Home network to the other computers in my Home network.
> The SNORT box is in the home network. Computers and SNORT box are
> connected through a HUB. I configured the HOME_NET and EXTERNAL_NET
> variables as follows:
> HOME_NET 10.50.1.0/24
> EXTERNAL_NET any
> However, when I launch an attack (Teardrop, NewTear) from my home
> network to the external network, SNORT detects it!! If I look the
> Teardrop rule, it is written this way:
> [...] $EXTERNAL_NET -> $HOME_NET [...]
> Thus, it only will be applied for traffic that goes from the
> External_Net to the Home_Net!
> I don't understand how it can detect it if the attack goes
> from my home
> network to the external network. Did I miss something?
> Thanks in advance for your help!
> Daniel Lopez
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users