[Snort-users] $HOME_NET

Erek Adams erek at ...950...
Sun Apr 6 13:13:05 EDT 2003

On Sun, 6 Apr 2003, Keg wrote:

> I guess I miss something.......
> I have 3 network segments #1, #2, and #3. $HOME_NET is set to #1.
> When I scan #1 with Nessus I get a lot of alerts logged.
> When I scan #2 with Nessus I get just a little bit of alerts
> When I add #2 to $HOME_NET (so it looks like $HOME_NET [#1/24,#2/24) I
> 'm starting to get a lot of alerts.
> Hence 2 questions:
> 1. Is there any difference how snort treats netwqorks if they are not
> included in $HOME_NET?
> 2. Should I include all network segments I have in $HOME_NET?

When you're refering to portscans, are you refering to the one of the
portscan preprocessors, stream4 or some of the rules?  $HOME_NET has
nothing to do with any of those except for the rules.

Where are you scanning _from_?  If you're scanning from inside of #1, then
you won't see any alerts from the rules, but you may see them from one of
the preprocessors.

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list