[Snort-users] Snort.conf question $HOME_NET Question V1.8.6

larosa, vjay larosa_vjay at ...3331...
Tue May 14 14:03:04 EDT 2002


If all of your addresses contiguous like you have listed below, condense
them in to smaller CIDR block[s].
A single CIDR of  10.10.0.0/17 will cover you from 10.10.0.0 ->
10.10.127.255.
 
vjl

-----Original Message-----
From: Rose, Jerry L SAJ Contractor
[mailto:Jerry.L.Rose at ...3923...]
Sent: Tuesday, May 14, 2002 4:27 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Snort.conf question $HOME_NET Question V1.8.6



Running on Linux (RedHat 7.2) - Snort 1.8.6 
My home network (internal network addresses) runs as 
follows (not my real addresses)... 
10.10.10.0/24 
10.10.11.0/24 
10.10.12.0/24 
and so on and so forth for about 70 entries. 

If I try this in snort.conf... 
var Home_NET [10.10.10.0/24,10.10.11.0/24,10.10.12.0/24,the rest
through10.10.80.0/24] 
then snort will not run. 

I'm using this format below. Snort runs, but it seems that the 
variable HOME_NET isn't really what I think I am telling it to be. 
var NET_01
[10.10.10.0/24,10.10.11.0/24,10.10.12.0/24...........10.10.30.0/24] 
var NET_02
[10.10.31.0/24,10.10.32.0/24,10.10.33.0/24...........10.10.60.0/24] 
var NET_03
[10.10.61.0/24,10.62.10.0/24,10.10.63.0/24...........10.10.80.0/24] 

var HOME_NET $NET_01 $NET_02 $NET_03 

var EXTERNAL_NET !$HOME_NET 

Alerts like $EXTERNAL_NET any > $HOME_NET any are being logged even though 
the packets are coming from internal addresses - what I intended to be 
included in $HOME_NET. 

Any Ideas? 

jerry.l.rose at ...5866... 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020514/4a2afd90/attachment.html>


More information about the Snort-users mailing list