[Snort-users] Does setting HOME_NET have any effect in Stealth mode?
Alex Butcher, ISC/ISYS
Alex.Butcher at ...11254...
Wed Nov 3 03:53:53 EST 2004
--On 03 November 2004 10:52 +0000 Rob Ward <rob.ward at ...11329...> wrote:
> Thanks Alex,
> --On 03 November 2004 10:19 +0000 "Alex Butcher, ISC/ISYS"
> <Alex.Butcher at ...11254...> wrote:
>> --On 02 November 2004 13:05 +0000 Rob Ward <rob.ward at ...11329...>
>>> When I set "HOME_NET" to anything other than 'any' I no longer see any
>>> DOS or DDOS alerts but P2P alerts are still output.
>> Depending on how the P2P rules in question are written, that will still
>> be the case. If you don't want to know which of your hosts in $HOME_NET
>> are using P2P services, why do you have the rules enabled?
> I do want to see these but they're output regardless of what I set
> HOME_NET to.
No, if you take a look at the rules, they're still triggering because the
source addresses are still in $HOME_NET, or the rule in question is using
the <> bi-directional operator. By setting $HOME_NET, you will be
eliminating most P2P alerts generated by non-$HOME_NET hosts. Chances are,
like most academic networks, you've got lots of P2P users, though.
> The thing is I also want to see the DOS and DDOS alerts but
> these stop being output when I use anything other than "var HOME_NET
> any"? I'd hoped that setting HOME_NET and EXTERNAL_NET would cut down the
> load on my box - which it does but if the DOS and DDOS alerts are no
> longer output then it defeats the object!
It appears most of the DOS rules only trigger if they're targeted *at*
$HOME_NET. You presumably want to see attacks sent *by* $HOME_NET - in
which case, you'll need to replace $HOME_NET with 'any' (possibly by using
Oinkmaster's 'modifysid' function) by editing the (D)DOS rules.
Read the rules, and it'll all make sense. Honest.
> Rob Ward
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-users