No subject


Thu Nov 23 16:36:19 EST 2017


       -h home-net
              Set  the "home network" to home-net.  The format of
              this address variable is a network  prefix  plus  a
              CIDR  block,  such  as  192.168.1.0/24.   Once this
              variable is set, all decoded packet logging will be
              done  relative  to  the home network address space.
              This is useful because of the way that  Snort  for-
              mats  its  ASCII  log data.  With this value set to
              the local  network,  all  decoded  output  will  be
              logged  into decode directories with the address of
              the foreign computer as the directory  name,  which
              is very useful during traffic analysis.

And from the Users Manual:
	http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.3

(Look under the second example...)

This all translates into snort has _no_ idea of what is "your" network.  As
the users guide states "you log packets relative to the home network, with the
log dir being the IP from the external net."

This is different from setting the HOME_NET variable.  That is used for rules
to know which IP's to consider part of 'your network'.

Even though the two things are very close, they perform two very seperate and
distinct functions.  -h is for logging, obfuscation, and some snort internals.
$HOME_NET is for the rules.

> I am experimenting with logging all packets in the -b format. I intend to
> scan them later using snort -r to extract any alerts.
>
> THE PROBLEM is that I'm on a dialip connection where the $ppp0_ADDRESS
> changes on each connection. Is there anyway to tell from the snort.log
> file what the current $HOME_NET was at the time of capture?

Not to my knowledge.

But, there is a file in the snort tarball in the contrib directory called
address_config.sh.  Since you'd need the $ppp_ADDRESS to change each time,
you'd have to stop and restart snort upon each connection.  If it were me, I'd
use some of the logic in that script instead of the $ppp_ADDRESS setup and
restart snort each time.  Then you could use that to flag what the IP was
during the last run into a file, and store it with the binary log.  You'd have
to have the .conf you used edited for each time you ran snort anyway....

> Thanks for all comments, especially those that are helpful. :-)

Useful comment:  Sell your Enron stock.  ;-)

*ducks and runs*  :)

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list