[Snort-users] question on obfuscating addresses

Matt Kettler mkettler at ...4108...
Mon Jan 27 14:46:04 EST 2003

The -O flag doesn't use the HOME_NET variable from snort.conf, it uses the 
home_net specified by the -h option on the command line to snort.

The two are different things, and changing one does not over-ride the other.

-h - home_net as far as logging, etc sees things. Useful with -O and also 
if you're using text-mode packet dumps as it forces the directory names to 
be those of "forgein" IPs whenever possible, regardless of dest/src.

var HOME_NET is used in snort.conf and changes what IP's the rules look at, 

The snort code itself is in general not aware of what var HOME_NET is set to.

At 05:00 PM 1/27/2003 -0500, James R. Hendrick wrote:
>         I recently tried to use snort to process binary logs and obfuscate
>the non HOME_NET addresses, generating "cleaned" binary logs. It doesn't
>look like this is possible. It appears that no matter what the "HOME_NET"
>was defined to be, that the "-O" flag simply causes all addresses to be
>translated to xxx.xxx.xxx.xxx

More information about the Snort-users mailing list