[Snort-users] Question about !HOME_NET

M. Shirk shirkdog_list at ...125...
Wed Oct 11 11:15:46 EDT 2006

Well Snort can help detect such traffic, but you have a problem with your 
security policy and procedures if people are just showing up and jacking 
into the wall and having full access to the network (where is your 
addresss???? ) :-)

Also, what is $EXTERNAL_NET set to? probably "any" in the snort.conf?

And why are you using ALL of the private addresses? you should be using a 
variable that is something like

var HOME_NET []

More then likely, an on internal network, your sig will fire on every packet 

Ok finchy, your turn.


>From: "Nick Baronian" <kvetch at ...11827...>
>To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
>Subject: [Snort-users] Question about !HOME_NET
>Date: Wed, 11 Oct 2006 10:47:00 -0400
>I am trying to setup a simple rule but it doesn't appear to be
>working. We have has some issues with people plugging in their laptops
>to our corp. network. Some of these folks have static addresses and
>try to send some traffic outbound, while the traffic gets dropped at a
>firewall I want to log and alert on any non Home_NET IP's trying to go
>out. I thought it would be fairly easy just set home_net to something
>var HOME_NET [,,] and var HOME_NET
>[,,] then comment out other rules
>in snort.conf except local.rule.
>In local rule set it to something like
>alert ip !HOME_NET any -> $EXTERNAL_NET any (msg:"nonwork routable IP
>I then start snort like
>snort -e -i eth1 -l /u01/snort -s -D &
>When I look at the log down /u01/snort it lists tons of IP's going
>from an IP like 10.30 or 172.x.x.x going to some random IP.  How do I
>get my rules to only log the packets for non-Home_Net IP's trying to
>talk to other non-Home_Net IP's?
>Using Tomcat but need to do more? Need to support web services, security?
>Get stuff done quickly with pre-integrated technology to make your job 
>Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Be seen and heard with Windows Live Messenger and Microsoft LifeCams 

More information about the Snort-users mailing list