[Snort-users] Question about !HOME_NET
shirkdog_list at ...125...
Wed Oct 11 11:15:46 EDT 2006
Well Snort can help detect such traffic, but you have a problem with your
security policy and procedures if people are just showing up and jacking
into the wall and having full access to the network (where is your
addresss???? ) :-)
Also, what is $EXTERNAL_NET set to? probably "any" in the snort.conf?
And why are you using ALL of the private addresses? you should be using a
variable that is something like
var HOME_NET [10.111.0.0/16]
var EVIL_NET !$HOME_NET
More then likely, an on internal network, your sig will fire on every packet
Ok finchy, your turn.
>From: "Nick Baronian" <kvetch at ...11827...>
>To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] Question about !HOME_NET
>Date: Wed, 11 Oct 2006 10:47:00 -0400
>I am trying to setup a simple rule but it doesn't appear to be
>working. We have has some issues with people plugging in their laptops
>to our corp. network. Some of these folks have static addresses and
>try to send some traffic outbound, while the traffic gets dropped at a
>firewall I want to log and alert on any non Home_NET IP's trying to go
>out. I thought it would be fairly easy just set home_net to something
>var HOME_NET [22.214.171.124/8,10.0.0.0/8,192.168.0.0/16] and var HOME_NET
>[126.96.36.199/8,10.0.0.0/8,192.168.0.0/16] then comment out other rules
>in snort.conf except local.rule.
>In local rule set it to something like
>alert ip !HOME_NET any -> $EXTERNAL_NET any (msg:"nonwork routable IP
>I then start snort like
>snort -e -i eth1 -l /u01/snort -s -D &
>When I look at the log down /u01/snort it lists tons of IP's going
>from an IP like 10.30 or 172.x.x.x going to some random IP. How do I
>get my rules to only log the packets for non-Home_Net IP's trying to
>talk to other non-Home_Net IP's?
>Using Tomcat but need to do more? Need to support web services, security?
>Get stuff done quickly with pre-integrated technology to make your job
>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Be seen and heard with Windows Live Messenger and Microsoft LifeCams
More information about the Snort-users