[Snort-users] HOMENET IP exclusions

Nogwai nogwai at ...15539...
Mon Mar 12 13:07:47 EDT 2012


Hi there,

I am trying to exclude some IP/IP range from HOMENET variables. Basicly, I
don't want to see any alerts coming from some single IP(s) and complete IP
pools.
So I've configured my HOMENET like this (in snort.ethX.conf) :

var HOMENET [10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]]

It appears that I have a lot of traffic coming from interface eth1. So I've
managed to split the single snort process in three separate process running
on interfaces eth1:1, eth1:2 and eth1:3 (with different rule-sets on each).
And replicate the HOMENET variable in each snort.eth1:x.conf.

Looking at snort process, HOMENET variable seems to be not taken from my
snort.eth1:x.conf files but snort.debian.conf (I'm running Alienvault
OpenSource SIEM - OSSIM v3.0, based on Debian 5.0.8 and Snort 2.9.0.4).
So I've modified the DEBIAN_SNORT_HOME_NET to look like this :

DEBIAN_SNORT_HOME_NET="10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]"

And then, Snort don't want to restart :

FATAL ERROR: /etc/snort/rules/emerging-dns.rules => Negated IP ranges
that are equal to or are more-general than non-negated
ranges are not allowed. Consider inverting the logic: $EXTERNAL_NET.


Looking for some hints, I came across this (
http://seclists.org/snort/2010/q3/674), this (
http://seclists.org/snort/2009/q3/267) and read README.variables. But still
lost. Don't know if the problem is Debian or Snort related...

Actually, I play with CIDR to exclude the above IP inside the
snort.debian.conf file. But this is a bit painful to maintain and I
received some new exclusions to add to the list every week. I'll appreciate
some light on this :)


Greetings,
Nogwai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120312/c2da1bc0/attachment.html>


More information about the Snort-users mailing list