Snort mailing list archives
Re: HOME_NET question...
From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 22 Apr 2002 13:42:54 -0700 (PDT)
On Mon, 22 Apr 2002, Bob Hillegas wrote:
I see where HOST_NETWORK can be assigned in the snort.conf file or as the -h argument when invoking snort. Can anyone comment on this one?
Sure.
From the man page:
-h home-net Set the "home network" to home-net. The format of this address variable is a network prefix plus a CIDR block, such as 192.168.1.0/24. Once this variable is set, all decoded packet logging will be done relative to the home network address space. This is useful because of the way that Snort for- mats its ASCII log data. With this value set to the local network, all decoded output will be logged into decode directories with the address of the foreign computer as the directory name, which is very useful during traffic analysis. And from the Users Manual: http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.3 (Look under the second example...) This all translates into snort has _no_ idea of what is "your" network. As the users guide states "you log packets relative to the home network, with the log dir being the IP from the external net." This is different from setting the HOME_NET variable. That is used for rules to know which IP's to consider part of 'your network'. Even though the two things are very close, they perform two very seperate and distinct functions. -h is for logging, obfuscation, and some snort internals. $HOME_NET is for the rules.
I am experimenting with logging all packets in the -b format. I intend to scan them later using snort -r to extract any alerts. THE PROBLEM is that I'm on a dialip connection where the $ppp0_ADDRESS changes on each connection. Is there anyway to tell from the snort.log file what the current $HOME_NET was at the time of capture?
Not to my knowledge. But, there is a file in the snort tarball in the contrib directory called address_config.sh. Since you'd need the $ppp_ADDRESS to change each time, you'd have to stop and restart snort upon each connection. If it were me, I'd use some of the logic in that script instead of the $ppp_ADDRESS setup and restart snort each time. Then you could use that to flag what the IP was during the last run into a file, and store it with the binary log. You'd have to have the .conf you used edited for each time you ran snort anyway....
Thanks for all comments, especially those that are helpful. :-)
Useful comment: Sell your Enron stock. ;-) *ducks and runs* :) Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HOME_NET question... Bob Hillegas (Apr 22)
- Re: HOME_NET question... Erek Adams (Apr 22)
- Re: HOME_NET question... John Sage (Apr 22)
- Re: HOME_NET question... Bob Hillegas (Apr 23)
- Re: HOME_NET question... Phil Wood (Apr 23)
- Re: HOME_NET question... John Sage (Apr 22)
- Re: HOME_NET question... Erek Adams (Apr 22)