[Snort-users] HOME_NET not supporting multiple subnets?!

Mon Aug 19 23:02:04 EDT 2002

Hi all,

I've setup Snort + MySQL + Acid on a RH 7.3 box using RPMs and the Snort
Installation Manual as a guide.

There are just FAR too many alerts being logged and mostly false positives
with the default setup.  So I attempted to setup the HOME_NET appropriately.

However it seems to me that it only uses the FIRST subnet when specifying
more then one subnet.

Eg. If HOME_NET were defined as:
var HOME_NET [,,,,]
it would only generate alerts for packets destined for

There may be the odd packet that gets logged for the remaining subnets but
it is definitely missing test traffic that I'm generating from an external

fails to log an alert where as:
would log an alert as expected

My problem is I have 10 different subnets I need to watch (real ones not the
examples given) and the default of "any" is, as mentioned, far too noisy.

Any/all suggestions would be most welcome.

Jon Benson
Mail/DNS Administrator

