[Snort-users] Homenet Question

Ian Bowers iggdawg at ...11827...
Wed May 2 13:11:31 EDT 2012


Alternately, if you have some reason for using "any" as EXTERNAL_NET, you
can change the variable in the rule from EXTERNAL_NET to !$HOME_NET.  If
you use PulledPork, place this in modifysid.conf :

2009702 "$EXTERNAL_NET" "!$HOME_NET"

However I imagine similar issue will come up in other rules.  Adam's
solution is probably the best way to go.

-Ian

On Wed, May 2, 2012 at 10:13 AM, Adam Gardner <adamgardner502 at ...11827...>wrote:

> Since your $EXTERNAL_NET is set to "any" 10.0.0.0/8 is included in that.
>  You'll probably want to set $EXTERNAL_NET to !$HOME_NET.
>
>
> On Wed, May 2, 2012 at 9:46 AM, Gibson, Samuel <gibsons at ...15616...>wrote:
>
>> Hello,
>>
>> I am having an interesting issue with the homenet.  I have it setup in
>> snort.conf as follows:
>>
>> ipvar HOME_NET [10.0.0.0/8]
>>
>> ipvar EXTERNAL_NET any
>>
>> ipvar DNS_Servers [10.1.2.3,10.1.2.4]
>>
>> Which we have subnetted into internal networks similar to 10.1.2.x,
>> 10.2.3.x and so on.  However our VPN clients use 10.1.20.x/24.
>>
>> Whenever a VPN Client registers itself in DNS after connecting, I get an
>> ET POLICY DNS Update From External net  (Gen 1 Sig 2009702)
>>
>> The rule triggers, for example, with a source of 10.10.20.10 and a
>> destination of 10.1.2.3
>>
>> I can suppress this, but am mostly wondering if anyone has any insight
>> into why the VPN is not being considered part of HOMENET.
>>
>> Thanks,
>> Sam
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120502/0d349fe3/attachment.html>


More information about the Snort-users mailing list