[Snort-users] Homenet Question
gibsons at ...15616...
Wed May 2 09:46:23 EDT 2012
I am having an interesting issue with the homenet. I have it setup in snort.conf as follows:
ipvar HOME_NET [10.0.0.0/8]
ipvar EXTERNAL_NET any
ipvar DNS_Servers [10.1.2.3,10.1.2.4]
Which we have subnetted into internal networks similar to 10.1.2.x, 10.2.3.x and so on. However our VPN clients use 10.1.20.x/24.
Whenever a VPN Client registers itself in DNS after connecting, I get an ET POLICY DNS Update From External net (Gen 1 Sig 2009702)
The rule triggers, for example, with a source of 10.10.20.10 and a destination of 10.1.2.3
I can suppress this, but am mostly wondering if anyone has any insight into why the VPN is not being considered part of HOMENET.
More information about the Snort-users