Snort mailing list archives

Re: HOME_NET not supporting multiple subnets?!

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 20 Aug 2002 01:20:26 -0700 (PDT)

On Tue, 20 Aug 2002, Jon Benson wrote:

[...snip...]

There are just FAR too many alerts being logged and mostly false positives
with the default setup.  So I attempted to setup the HOME_NET appropriately.


Mmmmm....  I love the smell of false postives in the morning. ;-)

However it seems to me that it only uses the FIRST subnet when specifying
more then one subnet.

Eg. If HOME_NET were defined as:
var HOME_NET [10.10.1.0/24, 10.10.2.0/24, 10.10.3.64/27, 10.10.4.1/27,
10.10.5.0/24]
it would only generate alerts for packets destined for 10.10.1.0/24
reliably.

There may be the odd packet that gets logged for the remaining subnets but
it is definitely missing test traffic that I'm generating from an external
network.

Eg.
wget
"10.10.5.46/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c
../winnt/system32/cmd.exe?/c+dir"
fails to log an alert where as:
wget
"10.10.1.96/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c
../winnt/system32/cmd.exe?/c+dir"
would log an alert as expected

My problem is I have 10 different subnets I need to watch (real ones not the
examples given) and the default of "any" is, as mentioned, far too noisy.

Any/all suggestions would be most welcome.


Snort handles multi nets just fine.  It's just not in your best interests to
do so.  :)

This only applies (to my knowldege) to the 1.8 branch, but...  Due to the way
the rule lists are built, you'll get better performance with multiple
instances.  Cut down your subnets and you'll gain a measureable difference in
perfomance.  The more "unions" that exist, the work snort must do.

Split your subnets into single instances if possible.  At the very least run
the more trafficed subnets alone, and the low bandwidth ones combined.  Any
little bit helps...  :)

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

HOME_NET not supporting multiple subnets?! Jon Benson (Aug 19)
- Re: HOME_NET not supporting multiple subnets?! Erek Adams (Aug 20)