[Snort-users] Does setting HOME_NET have any effect in Stealth mode?

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Wed Nov 3 03:53:53 EST 2004

--On 03 November 2004 10:52 +0000 Rob Ward <rob.ward at ...11329...> wrote:

> Thanks Alex,
> --On 03 November 2004 10:19 +0000 "Alex Butcher, ISC/ISYS"
> <Alex.Butcher at ...11254...> wrote:
>> --On 02 November 2004 13:05 +0000 Rob Ward <rob.ward at ...11329...>
>> wrote:
>>> When I set "HOME_NET" to anything other than 'any' I no longer see any
>>> DOS or DDOS alerts but P2P alerts are still output.
>> Depending on how the P2P rules in question are written, that will still
>> be the case. If you don't want to know which of your hosts in $HOME_NET
>> are using P2P services, why do you have the rules enabled?
> I do want to see these but they're output regardless of what I set
> HOME_NET to.

No, if you take a look at the rules, they're still triggering because the 
source addresses are still in $HOME_NET, or the rule in question is using 
the <> bi-directional operator. By setting $HOME_NET, you will be 
eliminating most P2P alerts generated by non-$HOME_NET hosts. Chances are, 
like most academic networks, you've got lots of P2P users, though.

> The thing is I also want to see the DOS and DDOS alerts but
> these stop being output when I use anything other than "var HOME_NET
> any"? I'd hoped that setting HOME_NET and EXTERNAL_NET would cut down the
> load on my box - which it does but if the DOS and DDOS alerts are no
> longer output then it defeats the object!

It appears most of the DOS rules only trigger if they're targeted *at* 
$HOME_NET. You presumably want to see attacks sent *by* $HOME_NET - in 
which case, you'll need to replace $HOME_NET with 'any' (possibly by using 
Oinkmaster's 'modifysid' function) by editing the (D)DOS rules.

Read the rules, and it'll all make sense. Honest.

> Rob Ward

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list