[Snort-users] HOME_NET not supporting multiple subnets?!
Jon at ...6656...
Mon Aug 19 23:02:04 EDT 2002
I've setup Snort + MySQL + Acid on a RH 7.3 box using RPMs and the Snort
Installation Manual as a guide.
There are just FAR too many alerts being logged and mostly false positives
with the default setup. So I attempted to setup the HOME_NET appropriately.
However it seems to me that it only uses the FIRST subnet when specifying
more then one subnet.
Eg. If HOME_NET were defined as:
var HOME_NET [10.10.1.0/24, 10.10.2.0/24, 10.10.3.64/27, 10.10.4.1/27,
it would only generate alerts for packets destined for 10.10.1.0/24
There may be the odd packet that gets logged for the remaining subnets but
it is definitely missing test traffic that I'm generating from an external
fails to log an alert where as:
would log an alert as expected
My problem is I have 10 different subnets I need to watch (real ones not the
examples given) and the default of "any" is, as mentioned, far too noisy.
Any/all suggestions would be most welcome.
More information about the Snort-users