[Snort-users] Does setting HOME_NET have any effect in Stealth mode?

Rob Ward rob.ward at ...11329...
Tue Nov 2 07:52:23 EST 2004


--On 02 November 2004 23:36 +0800 Michael Boman <michael.boman at ...11827...> 
wrote:

> On Tue, 02 Nov 2004 15:09:32 +0000, Rob Ward <rob.ward at ...11329...>
> wrote:
>> Hi Michael,
>>
>> --On 02 November 2004 23:02 +0800 Michael Boman <michael.boman at ...11827...>
>> wrote:
>>
>>
>>
>> > On Tue, 02 Nov 2004 13:05:26 +0000, Rob Ward <rob.ward at ...11329...>
>> > wrote:
>> >> When I set "HOME_NET" to anything other than 'any' I no longer see any
>> >> DOS or DDOS alerts but P2P alerts are still output. I've tried
>> >> following the configuration examples in the FAQ's etc and can't get
>> >> it to work. I'm wondering if HOME_NET has any relevance when running
>> >> snort in 'stealth' or am I wide of the mark?
>> >
>> > HOME_NET is used to define the network you are interesting to monitor,
>> > and your snort box being in stealth mode or not has nothing to do with
>> > it.
>>
>> That's what I find strange - when I set HOME_NET to the network I want to
>> monitor the DOS alerts are no longer output?
>>
>
> Are you recieving/sending traffic that would trigger a propperly
> configured ids rule?
>

Definately, it's monitoring our student halls network. We've acted on the 
alerts in the past and always found the hosts to be compromised in some way.

>> >
>> >> Also - can snort cope with variable length subnet masks?
>> >
>> > Please explain what you mean.
>> >
>>
>> For example:
>>
>> var HOME_NET [138.253.82.0/23 , 138.253.160.0/22]
>>
>
> I hope you misquoted that, if not please remove the spaces like this:
>
> var HOME_NET [138.253.82.0/23,138.253.160.0/22]
>
> and yes, it does support that (but remember to remove the spaces in
> the address list)

Funnily enough the way I wrote it above with spaces was taken from the 
FAQ's on snort.org! I've tried it your way as well with no success, it's 
weird and only seems to affect the DOS and DDOS alerts and we still see 
loads for P2P.

>
> Best regards
>  Michael Boman

Thanks

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department

Tel: 0151 794 4449
Fax: 0151 794 4442
Mob: 07970 247 326




More information about the Snort-users mailing list