AW: [Snort-users] HOME_NET not supporting multiple subnets?!

Poppi, Sandro Sandro.Poppi at ...3316...
Mon Aug 19 23:16:05 EDT 2002


Hi Jon,

try omitting the spaces in your list and it should work.

HTH,
Sandro
> 
> Hi all,
> 
> I've setup Snort + MySQL + Acid on a RH 7.3 box using RPMs 
> and the Snort
> Installation Manual as a guide.
> 
> There are just FAR too many alerts being logged and mostly 
> false positives
> with the default setup.  So I attempted to setup the HOME_NET 
> appropriately.
> 
> However it seems to me that it only uses the FIRST subnet 
> when specifying
> more then one subnet.
> 
> Eg. If HOME_NET were defined as:
> var HOME_NET [10.10.1.0/24, 10.10.2.0/24, 10.10.3.64/27, 10.10.4.1/27,
> 10.10.5.0/24]
> it would only generate alerts for packets destined for 10.10.1.0/24
> reliably.
> 
> There may be the odd packet that gets logged for the 
> remaining subnets but
> it is definitely missing test traffic that I'm generating 
> from an external
> network.
> 
> Eg.
> wget
> "10.10.5.46/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1
> %1c../..%c1%1c
> ../winnt/system32/cmd.exe?/c+dir"
> fails to log an alert where as:
> wget
> "10.10.1.96/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1
> %1c../..%c1%1c
> ../winnt/system32/cmd.exe?/c+dir"
> would log an alert as expected
> 
> My problem is I have 10 different subnets I need to watch 
> (real ones not the
> examples given) and the default of "any" is, as mentioned, 
> far too noisy.
> 
> Any/all suggestions would be most welcome.
> 
> 
> Jon Benson
> Mail/DNS Administrator
> OzHosting.com
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list