[Snort-users] HOME_NET, EXTERNAL_NET, ipvar unwanted triggered rules

David Smith DSmith at ...17880...
Fri Jun 9 13:43:20 EDT 2017


alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5;)

This alert is being triggered each time a dns request is happening between to machines with the $HOME_NET subnets

Thanks for the quick reply
-----Original Message-----
From: Al Lewis (allewi) [mailto:allewi at ...589...] 
Sent: Friday, June 9, 2017 11:39 AM
To: David Smith <DSmith at ...17880...>; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] HOME_NET, EXTERNAL_NET, ipvar unwanted triggered rules

Hello,

	Do you have any example traffic?

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589... 








On 6/9/17, 12:32 PM, "David Smith" <DSmith at ...17880...> wrote:

>Members,
>
>ENV: Ubuntu 16.04, Snort V 2.9.9.0, Barnyard2 V 2.1.14, PulledPork 
>0.7.3, BASE 1.4.5
>
>
>Snort rules, pulled in from PulledPork are being triggered from addresses within the defined HOME_NET as if they are part of the EXTERNAL_NET, which is causing unwanted alerts.
>
>Snort.conf:
>ipvar HOME_NET [192.168.1.0/24,192.168.3.0/24] ipvar EXTERNAL_NET 
>!$HOME_NET
>
>Rule example:
>alert tcp $EXTERNAL_NET any -> $HOME_NET 53.........
>
>Can't find anything in docs or web that has solved this issue for me.    Thoughts or ideas?
>
>Thanks!
>
>Dave Smith
>
>-----------------------------------------------------------------------
>------- Check out the vibrant tech community on one of the world's most 
>engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list