[Snort-users] HOMENET IP exclusions

Heine Lysemose lysemose at ...11827...
Tue Mar 13 05:18:15 EDT 2012


You should try looking into threshold or suppression.

/Lysemose
On Mar 13, 2012 10:11 AM, "Nogwai" <nogwai at ...15539...> wrote:

> EXTERNAL_NET is set to :
>
> var EXTERNAL_NET !$HOME_NET
>
> I've read somewhere that exclusions in the HomeNet are kinda incompatible
> with External_Net. Is it the problem ?
> If yes, and assuming I set my variables like this :
>
> var HOMENET [10.0.0.0/8,99.0.0.0/16<http://10.0.0.0/8,99.0.0.0/16,%21%5B10.9.0.0/16,99.0.17.0/24%5D>
> ]
> var EXTERNAL_NET !$HOME_NET ![10.9.0.0/16,99.0.17.0/24]
>
> I'll NOT see alerts coming from excluded IP, right?
>
> 2012/3/12 Jason Wallace <jason.r.wallace at ...11827...>
>
>> What is $EXTERNAL_NET set to?
>>
>> On Mon, Mar 12, 2012 at 1:07 PM, Nogwai <nogwai at ...15539...> wrote:
>> > Hi there,
>> >
>> > I am trying to exclude some IP/IP range from HOMENET variables.
>> Basicly, I
>> > don't want to see any alerts coming from some single IP(s) and complete
>> IP
>> > pools.
>> > So I've configured my HOMENET like this (in snort.ethX.conf) :
>> >
>> > var HOMENET [10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]<http://10.0.0.0/8,99.0.0.0/16,%21%5B10.9.0.0/16,99.0.17.0/24%5D>
>> ]
>> >
>> > It appears that I have a lot of traffic coming from interface eth1. So
>> I've
>> > managed to split the single snort process in three separate process
>> running
>> > on interfaces eth1:1, eth1:2 and eth1:3 (with different rule-sets on
>> each).
>> > And replicate the HOMENET variable in each snort.eth1:x.conf.
>> >
>> > Looking at snort process, HOMENET variable seems to be not taken from my
>> > snort.eth1:x.conf files but snort.debian.conf (I'm running Alienvault
>> > OpenSource SIEM - OSSIM v3.0, based on Debian 5.0.8 and Snort 2.9.0.4).
>> > So I've modified the DEBIAN_SNORT_HOME_NET to look like this :
>> >
>> > DEBIAN_SNORT_HOME_NET="
>> 10.0.0.0/8,99.0.0.0/16,![10.9.0.0/16,99.0.17.0/24]<http://10.0.0.0/8,99.0.0.0/16,%21%5B10.9.0.0/16,99.0.17.0/24%5D>
>> "
>> >
>> > And then, Snort don't want to restart :
>> >
>> > FATAL ERROR: /etc/snort/rules/emerging-dns.rules => Negated IP ranges
>> that
>> > are equal to or are more-general than non-negated
>> > ranges are not allowed. Consider inverting the logic: $EXTERNAL_NET.
>> >
>> >
>> > Looking for some hints, I came across this
>> > (http://seclists.org/snort/2010/q3/674), this
>> > (http://seclists.org/snort/2009/q3/267) and read README.variables. But
>> still
>> > lost. Don't know if the problem is Debian or Snort related...
>> >
>> > Actually, I play with CIDR to exclude the above IP inside the
>> > snort.debian.conf file. But this is a bit painful to maintain and I
>> received
>> > some new exclusions to add to the list every week. I'll appreciate some
>> > light on this :)
>> >
>> >
>> > Greetings,
>> > Nogwai
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Try before you buy = See our experts in action!
>> > The most comprehensive online learning library for Microsoft developers
>> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> > Metro Style Apps, more. Free future releases when you subscribe now!
>> > http://p.sf.net/sfu/learndevnow-dev2
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> > news!
>>
>
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120313/59079865/attachment.html>


More information about the Snort-users mailing list