[Snort-users] ip's outside of HOME_NET showing up

Matt Kettler mkettler at ...4108...
Thu Jul 8 09:54:00 EDT 2004


At 11:01 AM 7/8/2004, Adam Denenberg wrote:
>  I finally got my acid/mysql setup working well.  However i have
>HOME_NET defined as my public range , say 24.100.100.0/24.  However i
>am seeing tons of destination ip addresses outside of that.  Shouldnt
>snort only be watching attacks destined for the HOME_NET network ?

Not necessarily. HOME_NET is just a macro that rules can use, it doesn't 
alter what snort itself examines.

Check the rules in question, or parameters to the preprocessors in question.

Some rules look specifically for patterns coming FROM HOME_NET.. generally 
signs of worm infection, etc.

Many rules use HTTP_SERVERS, SQL_SERVERS, or SMTP_SERVERS instead of HOME_NET.

Some rules, most notably a few tftp ones, look for any source and any 
destination IP.






More information about the Snort-users mailing list