[Snort-users] Does setting HOME_NET have any effect in Stealth mode?

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Wed Nov 3 02:28:49 EST 2004


--On 02 November 2004 13:05 +0000 Rob Ward <rob.ward at ...11329...> wrote:

> When I set "HOME_NET" to anything other than 'any' I no longer see any
> DOS or DDOS alerts but P2P alerts are still output.

Depending on how the P2P rules in question are written, that will still be 
the case. If you don't want to know which of your hosts in $HOME_NET are 
using P2P services, why do you have the rules enabled?

> I've tried following the configuration examples in the FAQ's etc and 
can't
> get it to work. I'm wondering if HOME_NET has any relevance when running
> snort in 'stealth' or am I wide of the mark?

You're wide of the mark. Running the sniffing interface with no IP address 
has no interaction with HOME_NET, whether it's left at 'any' or not. :-)

> Also - can snort cope with variable length subnet masks?

Looks like it, from reading the source for ParseIP() in parser/IpAddrSet.c. 
I'd be surprised if it doesn't handle VLSM flawlessly, just as I was 
surprised when Solaris still didn't back around '98/99 or so.

> Rob Ward

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list