[Snort-users] Does setting HOME_NET have any effect in Stealth mode?

Rob Ward rob.ward at ...11329...
Tue Nov 2 05:11:56 EST 2004


I've been trying out Snort on a problem network (I'm a newbie!) that sees a 
lot of P2P traffic and DOS/DDOS attacks. I'm running Net BSD 1.6.2_STABLE 
and snort-2.2.0. The interface I'm using to monitor the network is 
connected to a SPAN port and running in promiscuous mode with no IP 
configuration. Another interface is used solely for managing the box with 
IP configured.

When I set "HOME_NET" to anything other than 'any' I no longer see any DOS 
or DDOS alerts but P2P alerts are still output. I've tried following the 
configuration examples in the FAQ's etc and can't get it to work. I'm 
wondering if HOME_NET has any relevance when running snort in 'stealth' or 
am I wide of the mark?

Also - can snort cope with variable length subnet masks?


Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department

Tel: 0151 794 4449
Fax: 0151 794 4442
Mob: 07970 247 326

More information about the Snort-users mailing list