Re: external_net vs !home_net

[Ben Feinstein <me () benfeinstein net>]

The HOME_NET variable parsing code in 1.8.7 is somewhat broken.  With
Snort 1.8.x, having multiple subnets in the HOME_NET var is asking for
trouble.

This appears to have has been fixed in the 1.9 branch.  Try this with the
latest 1.9 beta and see if you're problem is fixed.

Cheers,
Ben

On Fri, 27 Sep 2002, charella constansia wrote:

> hai,
>
> I've been dealing with this for a while. I want to
> know if I'm doing something wrong or if it's a bug in
> Snort.
>
> I'm running snort sensor(1.8.7) on RedHat7.3.
>
> My snort.conf:
> $HOME_NET [xx,xx,xx,xx/24,yy,yy,yy,yy/24,and a few
> more]
> $EXTERNAL_NET !$HOME_NET.
>
> If I write a alert:
> alert tcp $HOME_NET any -> $EXTERNAL_NET any
> (msg:"bla";)
> This rule will also catch traffic from my internal net
> to my internal net, and I will get too much false
> positives.
> But if i write it like below:
> alert tcp $HOME_NET any -> !$HOME_NET any (msg:"bla";)
> it won't catch it.
>
> Is this a bug in snort if you have multiple subnets in
> your HOME_NET.
>
> Please help me,



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users