[Snort-users] $HOME_NET

Erek Adams erek at ...950...
Sun Apr 6 13:13:05 EDT 2003


On Sun, 6 Apr 2003, Keg wrote:

> I guess I miss something.......
> I have 3 network segments #1, #2, and #3. $HOME_NET is set to #1.
> When I scan #1 with Nessus I get a lot of alerts logged.
> When I scan #2 with Nessus I get just a little bit of alerts
> When I add #2 to $HOME_NET (so it looks like $HOME_NET [#1/24,#2/24) I
> 'm starting to get a lot of alerts.
>
> Hence 2 questions:
> 1. Is there any difference how snort treats netwqorks if they are not
> included in $HOME_NET?
> 2. Should I include all network segments I have in $HOME_NET?

When you're refering to portscans, are you refering to the one of the
portscan preprocessors, stream4 or some of the rules?  $HOME_NET has
nothing to do with any of those except for the rules.

Where are you scanning _from_?  If you're scanning from inside of #1, then
you won't see any alerts from the rules, but you may see them from one of
the preprocessors.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list