[Snort-users] Homenet Question

Gibson, Samuel gibsons at ...15616...
Wed May 2 09:46:23 EDT 2012


I am having an interesting issue with the homenet.  I have it setup in snort.conf as follows:  

ipvar HOME_NET []

ipvar EXTERNAL_NET any

ipvar DNS_Servers [,]

Which we have subnetted into internal networks similar to 10.1.2.x, 10.2.3.x and so on.  However our VPN clients use 10.1.20.x/24.

Whenever a VPN Client registers itself in DNS after connecting, I get an ET POLICY DNS Update From External net  (Gen 1 Sig 2009702)  

The rule triggers, for example, with a source of and a destination of

I can suppress this, but am mostly wondering if anyone has any insight into why the VPN is not being considered part of HOMENET.


More information about the Snort-users mailing list