[Snort-users] HOMENET IP exclusions

Jason Wallace jason.r.wallace at ...11827...
Mon Mar 12 14:33:28 EDT 2012


What is $EXTERNAL_NET set to?

On Mon, Mar 12, 2012 at 1:07 PM, Nogwai <nogwai at ...15539...> wrote:
> Hi there,
>
> I am trying to exclude some IP/IP range from HOMENET variables. Basicly, I
> don't want to see any alerts coming from some single IP(s) and complete IP
> pools.
> So I've configured my HOMENET like this (in snort.ethX.conf) :
>
> var HOMENET [10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]]
>
> It appears that I have a lot of traffic coming from interface eth1. So I've
> managed to split the single snort process in three separate process running
> on interfaces eth1:1, eth1:2 and eth1:3 (with different rule-sets on each).
> And replicate the HOMENET variable in each snort.eth1:x.conf.
>
> Looking at snort process, HOMENET variable seems to be not taken from my
> snort.eth1:x.conf files but snort.debian.conf (I'm running Alienvault
> OpenSource SIEM - OSSIM v3.0, based on Debian 5.0.8 and Snort 2.9.0.4).
> So I've modified the DEBIAN_SNORT_HOME_NET to look like this :
>
> DEBIAN_SNORT_HOME_NET="10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]"
>
> And then, Snort don't want to restart :
>
> FATAL ERROR: /etc/snort/rules/emerging-dns.rules => Negated IP ranges that
> are equal to or are more-general than non-negated
> ranges are not allowed. Consider inverting the logic: $EXTERNAL_NET.
>
>
> Looking for some hints, I came across this
> (http://seclists.org/snort/2010/q3/674), this
> (http://seclists.org/snort/2009/q3/267) and read README.variables. But still
> lost. Don't know if the problem is Debian or Snort related...
>
> Actually, I play with CIDR to exclude the above IP inside the
> snort.debian.conf file. But this is a bit painful to maintain and I received
> some new exclusions to add to the list every week. I'll appreciate some
> light on this :)
>
>
> Greetings,
> Nogwai
>
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list