[Snort-users] Does setting HOME_NET have any effect in Stealth mode?
rob.ward at ...11329...
Wed Nov 3 03:00:01 EST 2004
--On 03 November 2004 10:19 +0000 "Alex Butcher, ISC/ISYS"
<Alex.Butcher at ...11254...> wrote:
> --On 02 November 2004 13:05 +0000 Rob Ward <rob.ward at ...11329...>
>> When I set "HOME_NET" to anything other than 'any' I no longer see any
>> DOS or DDOS alerts but P2P alerts are still output.
> Depending on how the P2P rules in question are written, that will still
> be the case. If you don't want to know which of your hosts in $HOME_NET
> are using P2P services, why do you have the rules enabled?
I do want to see these but they're output regardless of what I set HOME_NET
to. The thing is I also want to see the DOS and DDOS alerts but these stop
being output when I use anything other than "var HOME_NET any"? I'd hoped
that setting HOME_NET and EXTERNAL_NET would cut down the load on my box -
which it does but if the DOS and DDOS alerts are no longer output then it
defeats the object!
>> I've tried following the configuration examples in the FAQ's etc and
>> get it to work. I'm wondering if HOME_NET has any relevance when running
>> snort in 'stealth' or am I wide of the mark?
> You're wide of the mark. Running the sniffing interface with no IP
> address has no interaction with HOME_NET, whether it's left at 'any' or
> not. :-)
>> Also - can snort cope with variable length subnet masks?
> Looks like it, from reading the source for ParseIP() in
> parser/IpAddrSet.c. I'd be surprised if it doesn't handle VLSM
> flawlessly, just as I was surprised when Solaris still didn't back around
> '98/99 or so.
>> Rob Ward
> Best Regards,
> Alex Butcher: Security & Integrity, Personal Computer Systems Group
> Information Systems and Computing GPG Key ID: F9B27DC9
> GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
Network Northwest Support
University of Liverpool
Computing Services Department
Tel: 0151 794 4449
Fax: 0151 794 4442
Mob: 07970 247 326
More information about the Snort-users