[Snort-users] home_net

Phil Wood cpw at ...440...
Fri Mar 8 16:34:02 EST 2002


Well you have probably pissed of these guys:

% whois 215.124.175.132
DoD Network Information Center (NETBLK-DDN-NIC16)
   7990 Boeing Court M/S CV-50
   Vienna, VA 22183
   US

   Netname: DDN-NIC16
   Netblock: 215.0.0.0 - 215.255.255.255
   Maintainer: DNIC

   Coordinator:
      DoD, Network  (MIL-HSTMST-ARIN)  HOSTMASTER at ...5270...
      (703) 676-1051 (800) 365-3642 (FAX) (703) 676-1749

   Domain System inverse mapping provided by:

   AAA-VIENNA.NIPR.MIL          207.132.116.60
   AAA-KELLY.NIPR.MIL           199.252.162.251
   AAA-WHEELER.NIPR.MIL         199.252.180.251
   AAA-VAIHINGEN.NIPR.MIL       199.252.154.251

You might want to stop with the "Devil may care" attitude.

On Fri, Mar 08, 2002 at 04:17:46PM -0500, Basil Saragoza wrote:
> THanks for the warning, address I posted only looks real, it is not my
> firewall, and I beleive nobody's else :-)
> ----- Original Message -----
> From: "John Sage" <jsage at ...2022...>
> To: "Basil Saragoza" <snortlst at ...125...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Friday, March 08, 2002 1:28 PM
> Subject: Re: [Snort-users] home_net
> 
> 
> > On Fri, Mar 08, 2002 at 12:30:43PM -0500, Basil Saragoza wrote:
> > > When I set home_net in snort.conf to ip address of my firewall
> everything is
> > > fine.
> > > When I set it to 215.124.175.132/26 then I see onl;y ICMP traffic.....
> > > (external_net set to any)
> > > Any reason for such behaviour on snort?
> > > What is the correlation between home_net and external_net?
> >
> > Several thoughts:
> >
> > 1) I would **never** actually post a live IP address, or IP address
> > range to a mail list -- obfuscate it -- we don't need to know the
> > actual IP address you've got to work with, and neither does anyone
> > else...
> >
> >
> > 2) 215.124.175.132/26 corresponds to this:
> >
> > Address:   215.124.175.132       11010111.01111100.10101111.10 000100
> > Netmask:   255.255.255.192 == 26 11111111.11111111.11111111.11 000000
> > =>
> > Network:   215.124.175.128/26    11010111.01111100.10101111.10 000000
> (Class C)
> > Broadcast: 215.124.175.191       11010111.01111100.10101111.10 111111
> > HostMin:   215.124.175.129       11010111.01111100.10101111.10 000001
> > HostMax:   215.124.175.190       11010111.01111100.10101111.10 111110
> > Hosts/Net: 62
> >
> > the (useable) netblock from HostMin: 215.124.175.129 to a HostMax:
> > 215.124.175.190 for a total of 62 hosts.
> >
> > Is this what you're intending to do?
> >
> >
> > I have no idea as to why this (the *only*..?) change would suddenly
> > result in your seeing only icmp traffic.
> >
> > Is this the only change you've made?
> >
> >
> > - John
> > --
> > Most people don't type their own logfiles;  but, what do I care?
> >
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list