[Snort-users] HOME_NET not supporting multiple subnets?!

Erek Adams erek at ...577...
Tue Aug 20 01:23:02 EDT 2002


On Tue, 20 Aug 2002, Jon Benson wrote:

[...snip...]

> There are just FAR too many alerts being logged and mostly false positives
> with the default setup.  So I attempted to setup the HOME_NET appropriately.

Mmmmm....  I love the smell of false postives in the morning. ;-)

> However it seems to me that it only uses the FIRST subnet when specifying
> more then one subnet.
>
> Eg. If HOME_NET were defined as:
> var HOME_NET [10.10.1.0/24, 10.10.2.0/24, 10.10.3.64/27, 10.10.4.1/27,
> 10.10.5.0/24]
> it would only generate alerts for packets destined for 10.10.1.0/24
> reliably.
>
> There may be the odd packet that gets logged for the remaining subnets but
> it is definitely missing test traffic that I'm generating from an external
> network.
>
> Eg.
> wget
> "10.10.5.46/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c
> ../winnt/system32/cmd.exe?/c+dir"
> fails to log an alert where as:
> wget
> "10.10.1.96/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c
> ../winnt/system32/cmd.exe?/c+dir"
> would log an alert as expected
>
> My problem is I have 10 different subnets I need to watch (real ones not the
> examples given) and the default of "any" is, as mentioned, far too noisy.
>
> Any/all suggestions would be most welcome.

Snort handles multi nets just fine.  It's just not in your best interests to
do so.  :)

This only applies (to my knowldege) to the 1.8 branch, but...  Due to the way
the rule lists are built, you'll get better performance with multiple
instances.  Cut down your subnets and you'll gain a measureable difference in
perfomance.  The more "unions" that exist, the work snort must do.

Split your subnets into single instances if possible.  At the very least run
the more trafficed subnets alone, and the low bandwidth ones combined.  Any
little bit helps...  :)

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






More information about the Snort-users mailing list