[Snort-users] Does setting HOME_NET have any effect in Stealth mode?

Michael Boman michael.boman at ...11827...
Tue Nov 2 07:42:43 EST 2004


On Tue, 02 Nov 2004 15:09:32 +0000, Rob Ward <rob.ward at ...11329...> wrote:
> Hi Michael,
> 
> --On 02 November 2004 23:02 +0800 Michael Boman <michael.boman at ...11827...>
> wrote:
> 
> 
> 
> > On Tue, 02 Nov 2004 13:05:26 +0000, Rob Ward <rob.ward at ...11329...>
> > wrote:
> >> When I set "HOME_NET" to anything other than 'any' I no longer see any
> >> DOS or DDOS alerts but P2P alerts are still output. I've tried following
> >> the configuration examples in the FAQ's etc and can't get it to work. I'm
> >> wondering if HOME_NET has any relevance when running snort in 'stealth'
> >> or am I wide of the mark?
> >
> > HOME_NET is used to define the network you are interesting to monitor,
> > and your snort box being in stealth mode or not has nothing to do with
> > it.
> 
> That's what I find strange - when I set HOME_NET to the network I want to
> monitor the DOS alerts are no longer output?
>

Are you recieving/sending traffic that would trigger a propperly
configured ids rule?

> >
> >> Also - can snort cope with variable length subnet masks?
> >
> > Please explain what you mean.
> >
> 
> For example:
> 
> var HOME_NET [138.253.82.0/23 , 138.253.160.0/22]
> 

I hope you misquoted that, if not please remove the spaces like this:

var HOME_NET [138.253.82.0/23,138.253.160.0/22]

and yes, it does support that (but remember to remove the spaces in
the address list)

Best regards
 Michael Boman




More information about the Snort-users mailing list