[Snort-users] home_net

Basil Saragoza snortlst at ...125...
Fri Mar 8 13:30:28 EST 2002


THanks for the warning, address I posted only looks real, it is not my
firewall, and I beleive nobody's else :-)
----- Original Message -----
From: "John Sage" <jsage at ...2022...>
To: "Basil Saragoza" <snortlst at ...125...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Friday, March 08, 2002 1:28 PM
Subject: Re: [Snort-users] home_net


> On Fri, Mar 08, 2002 at 12:30:43PM -0500, Basil Saragoza wrote:
> > When I set home_net in snort.conf to ip address of my firewall
everything is
> > fine.
> > When I set it to 215.124.175.132/26 then I see onl;y ICMP traffic.....
> > (external_net set to any)
> > Any reason for such behaviour on snort?
> > What is the correlation between home_net and external_net?
>
> Several thoughts:
>
> 1) I would **never** actually post a live IP address, or IP address
> range to a mail list -- obfuscate it -- we don't need to know the
> actual IP address you've got to work with, and neither does anyone
> else...
>
>
> 2) 215.124.175.132/26 corresponds to this:
>
> Address:   215.124.175.132       11010111.01111100.10101111.10 000100
> Netmask:   255.255.255.192 == 26 11111111.11111111.11111111.11 000000
> =>
> Network:   215.124.175.128/26    11010111.01111100.10101111.10 000000
(Class C)
> Broadcast: 215.124.175.191       11010111.01111100.10101111.10 111111
> HostMin:   215.124.175.129       11010111.01111100.10101111.10 000001
> HostMax:   215.124.175.190       11010111.01111100.10101111.10 111110
> Hosts/Net: 62
>
> the (useable) netblock from HostMin: 215.124.175.129 to a HostMax:
> 215.124.175.190 for a total of 62 hosts.
>
> Is this what you're intending to do?
>
>
> I have no idea as to why this (the *only*..?) change would suddenly
> result in your seeing only icmp traffic.
>
> Is this the only change you've made?
>
>
> - John
> --
> Most people don't type their own logfiles;  but, what do I care?
>




More information about the Snort-users mailing list