[Snort-users] Homenet Question

Gibson, Samuel gibsons at ...15616...
Wed May 2 09:46:23 EDT 2012


Hello,

I am having an interesting issue with the homenet.  I have it setup in snort.conf as follows:  

ipvar HOME_NET [10.0.0.0/8]

ipvar EXTERNAL_NET any

ipvar DNS_Servers [10.1.2.3,10.1.2.4]

Which we have subnetted into internal networks similar to 10.1.2.x, 10.2.3.x and so on.  However our VPN clients use 10.1.20.x/24.

Whenever a VPN Client registers itself in DNS after connecting, I get an ET POLICY DNS Update From External net  (Gen 1 Sig 2009702)  

The rule triggers, for example, with a source of 10.10.20.10 and a destination of 10.1.2.3

I can suppress this, but am mostly wondering if anyone has any insight into why the VPN is not being considered part of HOMENET.

Thanks,
Sam






More information about the Snort-users mailing list