[Snort-users] Question about !HOME_NET

M. Shirk shirkdog_list at ...125...
Wed Oct 11 11:15:46 EDT 2006


Well Snort can help detect such traffic, but you have a problem with your 
security policy and procedures if people are just showing up and jacking 
into the wall and having full access to the network (where is your 
addresss???? ) :-)

Also, what is $EXTERNAL_NET set to? probably "any" in the snort.conf?

And why are you using ALL of the private addresses? you should be using a 
variable that is something like

var HOME_NET [10.111.0.0/16]
var EVIL_NET !$HOME_NET


More then likely, an on internal network, your sig will fire on every packet 
:-)

Ok finchy, your turn.

Shirkdog
http://www.shirkdog.us




>From: "Nick Baronian" <kvetch at ...11827...>
>To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] Question about !HOME_NET
>Date: Wed, 11 Oct 2006 10:47:00 -0400
>
>I am trying to setup a simple rule but it doesn't appear to be
>working. We have has some issues with people plugging in their laptops
>to our corp. network. Some of these folks have static addresses and
>try to send some traffic outbound, while the traffic gets dropped at a
>firewall I want to log and alert on any non Home_NET IP's trying to go
>out. I thought it would be fairly easy just set home_net to something
>like
>var HOME_NET [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] and var HOME_NET
>[172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] then comment out other rules
>in snort.conf except local.rule.
>In local rule set it to something like
>alert ip !HOME_NET any -> $EXTERNAL_NET any (msg:"nonwork routable IP
>detected";)
>
>I then start snort like
>snort -e -i eth1 -l /u01/snort -s -D &
>
>When I look at the log down /u01/snort it lists tons of IP's going
>from an IP like 10.30 or 172.x.x.x going to some random IP.  How do I
>get my rules to only log the packets for non-Home_Net IP's trying to
>talk to other non-Home_Net IP's?
>
>Thanks,
>Nick
>
>-------------------------------------------------------------------------
>Using Tomcat but need to do more? Need to support web services, security?
>Get stuff done quickly with pre-integrated technology to make your job 
>easier
>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Be seen and heard with Windows Live Messenger and Microsoft LifeCams 
http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http://www.microsoft.com/hardware/digitalcommunication/default.mspx?locale=en-us&source=hmtagline





More information about the Snort-users mailing list