[Snort-users] Does setting HOME_NET have any effect in Stealth mode?
michael.boman at ...11827...
Tue Nov 2 07:42:43 EST 2004
On Tue, 02 Nov 2004 15:09:32 +0000, Rob Ward <rob.ward at ...11329...> wrote:
> Hi Michael,
> --On 02 November 2004 23:02 +0800 Michael Boman <michael.boman at ...11827...>
> > On Tue, 02 Nov 2004 13:05:26 +0000, Rob Ward <rob.ward at ...11329...>
> > wrote:
> >> When I set "HOME_NET" to anything other than 'any' I no longer see any
> >> DOS or DDOS alerts but P2P alerts are still output. I've tried following
> >> the configuration examples in the FAQ's etc and can't get it to work. I'm
> >> wondering if HOME_NET has any relevance when running snort in 'stealth'
> >> or am I wide of the mark?
> > HOME_NET is used to define the network you are interesting to monitor,
> > and your snort box being in stealth mode or not has nothing to do with
> > it.
> That's what I find strange - when I set HOME_NET to the network I want to
> monitor the DOS alerts are no longer output?
Are you recieving/sending traffic that would trigger a propperly
configured ids rule?
> >> Also - can snort cope with variable length subnet masks?
> > Please explain what you mean.
> For example:
> var HOME_NET [188.8.131.52/23 , 184.108.40.206/22]
I hope you misquoted that, if not please remove the spaces like this:
var HOME_NET [220.127.116.11/23,18.104.22.168/22]
and yes, it does support that (but remember to remove the spaces in
the address list)
More information about the Snort-users