[Snort-users] Followup to HOME_NET and EXTERNAL_NET

Don Don at ...5881...
Wed Nov 6 08:48:06 EST 2002


first i'd suggest setting up your dns servers under the dns_servers variable
as such
var DNS_SERVERS [192.168.0.1/32,192.168.0.2/32]

keep your home_net as is as well as your external_net as !home_net, you can
setup your alerts to ignore $dns_servers.
one question i have, as far as you getting nothing but dns zone transfers,
do you or have you ever got any other alerts. I'd suggest before saying your
not getting alerts and start changing things around, that you do a noisy
portscan from externally to see if you are getting anything, you may just be
getting lucky and not scanned or have any actions against you which is
possible, or your sensor may not be configured on a port that can see any
other traffic, be sure you can see other traffic first. then start with the
variables, for testing purposes make
var home_net any
var external_net any

then do a noisy scan from externally somewhere to first your system, and
then scan another box on your net, making sure you can see both scans from
your sensor

good luck

don

> >-----Original Message-----
> >From: snort-users-admin at lists.sourceforge.net
> >[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of John Lathem
> >Sent: Wednesday, November 06, 2002 7:23 AM
> >To: snort-users at lists.sourceforge.net
> >Subject: [Snort-users] Followup to HOME_NET and EXTERNAL_NET
> >
> >
> >
> >I've changed my HOME_NET to match my IP ranges, like this:
> >
> >	var HOME_NET [x.x.x.160/27,x.x.x.32/27,192.168.x.0/24]
> >	var EXTERNAL_NET any
> >
> >This is two internet connections, plus the internal network.  However, I
> >still get DNS Zone Tranfers logged between my two internet interfaces.
> >The DNS Zone Transfer rule indicates that it would log packets from
> >EXTERNAL_NET to HOME_NET, but both are in HOME_NET.
> >
> >When I set :
> >
> >	var EXTERNAL_NET !$HOME_NET
> >
> >I don't get any alerts logged anymore, except these zone transfers.
> >
> >Thanks!
> >
> >---
> >John Lathem  <lathem at ...7413...>
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by: See the NEW Palm
> >Tungsten T handheld. Power & Color in a compact size!
> >http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=ort-users
> >





More information about the Snort-users mailing list