[Snort-users] external_net vs !home_net

Ben Feinstein me at ...6289...
Fri Sep 27 15:53:04 EDT 2002


The HOME_NET variable parsing code in 1.8.7 is somewhat broken.  With
Snort 1.8.x, having multiple subnets in the HOME_NET var is asking for
trouble.

This appears to have has been fixed in the 1.9 branch.  Try this with the
latest 1.9 beta and see if you're problem is fixed.

Cheers,
Ben

On Fri, 27 Sep 2002, charella constansia wrote:

> hai,
>
> I've been dealing with this for a while. I want to
> know if I'm doing something wrong or if it's a bug in
> Snort.
>
> I'm running snort sensor(1.8.7) on RedHat7.3.
>
> My snort.conf:
> $HOME_NET [xx,xx,xx,xx/24,yy,yy,yy,yy/24,and a few
> more]
> $EXTERNAL_NET !$HOME_NET.
>
> If I write a alert:
> alert tcp $HOME_NET any -> $EXTERNAL_NET any
> (msg:"bla";)
> This rule will also catch traffic from my internal net
> to my internal net, and I will get too much false
> positives.
> But if i write it like below:
> alert tcp $HOME_NET any -> !$HOME_NET any (msg:"bla";)
> it won't catch it.
>
> Is this a bug in snort if you have multiple subnets in
> your HOME_NET.
>
> Please help me,
>





More information about the Snort-users mailing list