[Snort-users] Homenet Question

Adam Gardner adamgardner502 at ...11827...
Wed May 2 10:13:10 EDT 2012


Since your $EXTERNAL_NET is set to "any" 10.0.0.0/8 is included in that.
 You'll probably want to set $EXTERNAL_NET to !$HOME_NET.


On Wed, May 2, 2012 at 9:46 AM, Gibson, Samuel <gibsons at ...15616...>wrote:

> Hello,
>
> I am having an interesting issue with the homenet.  I have it setup in
> snort.conf as follows:
>
> ipvar HOME_NET [10.0.0.0/8]
>
> ipvar EXTERNAL_NET any
>
> ipvar DNS_Servers [10.1.2.3,10.1.2.4]
>
> Which we have subnetted into internal networks similar to 10.1.2.x,
> 10.2.3.x and so on.  However our VPN clients use 10.1.20.x/24.
>
> Whenever a VPN Client registers itself in DNS after connecting, I get an
> ET POLICY DNS Update From External net  (Gen 1 Sig 2009702)
>
> The rule triggers, for example, with a source of 10.10.20.10 and a
> destination of 10.1.2.3
>
> I can suppress this, but am mostly wondering if anyone has any insight
> into why the VPN is not being considered part of HOMENET.
>
> Thanks,
> Sam
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120502/1a1f2555/attachment.html>


More information about the Snort-users mailing list