[Snort-users] HOME_NET not supporting multiple subnets?!

Jon Benson Jon at ...6656...
Mon Aug 19 23:02:04 EDT 2002


Hi all,

I've setup Snort + MySQL + Acid on a RH 7.3 box using RPMs and the Snort
Installation Manual as a guide.

There are just FAR too many alerts being logged and mostly false positives
with the default setup.  So I attempted to setup the HOME_NET appropriately.

However it seems to me that it only uses the FIRST subnet when specifying
more then one subnet.

Eg. If HOME_NET were defined as:
var HOME_NET [10.10.1.0/24, 10.10.2.0/24, 10.10.3.64/27, 10.10.4.1/27,
10.10.5.0/24]
it would only generate alerts for packets destined for 10.10.1.0/24
reliably.

There may be the odd packet that gets logged for the remaining subnets but
it is definitely missing test traffic that I'm generating from an external
network.

Eg.
wget
"10.10.5.46/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c
../winnt/system32/cmd.exe?/c+dir"
fails to log an alert where as:
wget
"10.10.1.96/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c
../winnt/system32/cmd.exe?/c+dir"
would log an alert as expected

My problem is I have 10 different subnets I need to watch (real ones not the
examples given) and the default of "any" is, as mentioned, far too noisy.

Any/all suggestions would be most welcome.


Jon Benson
Mail/DNS Administrator
OzHosting.com




More information about the Snort-users mailing list