[Snort-users] WHy no alerts using eth0_ADDRESS?

Dr. Richard W. Tibbs ccamp at ...4532...
Tue Jan 15 12:38:06 EST 2002


I am puzzled mildly by some remarks in the snort.conf  file:
....
#
# or use global variable $<interfacename>_ADDRESS
# which will be always initialized to IP address and
# netmask of the network interface which you run
# snort at.
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
#var HOME_NET any

By the comments above, I am led to believe that snort will always
initialize the $eth0_ADDRESS variable to the home net.
Snort has always worked "out of the shrink wrap" with no mods to 
snort.conf and finds eth0, my only active NIC;
snort -v reports packet as usual.

However ......

In an exploration with snort, I tried
var HOME_NET $eth0_ADDRESS
output alert_unixsock
alert icmp $HOME_NET any -> any any (msg: "OUT" ;)
alert icmp any any -> $HOME_NET any (msg: "IN" ;)

and I, when I ping another machine I get no alerts,
although the snort summary output counts as many packets as ping sends & 
receives. (i.e., the snort output is like:
Breakdown by protocol:               Action Stats:
...                                   Akerts: 0
  ICMP: 12
...

But when I use
var HOME_NET 192.168.1.0/32
output alert_unixsock
alert icmp $HOME_NET any  -> any any (msg: "OUT" ;)
alert icmp any any  -> $HOME_NET any (msg: "IN" ;)

I get the appropriate equal amounts of INs and OUTs alerted to the socket.

How come no alerts in the first case?
Do I actually have to set the eth0_ADDRESS variable myself?






More information about the Snort-users mailing list