RE: detect that shouldn't be detected!

["Daniel Lopez" <dlopez () tct hut fi>]

Hi Gammon!

> You might want to try setting
> EXTERNAL_NET  !HOME_NET

You wanted to say: EXTERNAL_NET !$HOME_NET , no? ;-)
Anyway, as Tom Sevy and you advised me to do, I set the EXTERNAL_NET to
!$HOME_NET.
By doing that, SNORT shouldn't be able to detect attacks launched from
my Home Network, and this for rules which are written this way: [...]
$EXTERNAL_NET -> $HOME_NET [...]
This is right?

Well, I did some tests, and here are my results. I launched a NewTear
attack (a variant of the Teardrop DoS attack) from a computer that
belongs my home network (so inside 10.50.1.0/24) to the external network
(10.50.0.0/24). Because I set the EXTERNAL_NET to !$HOME_NET, SNORT
shouldn't detect this attack, no?

Well, SNORT detected it!! Funny thing!
And my HOME_NET and EXTERNAL_NET are set to:

var HOME_NET 10.50.1.0/24
var EXTERNAL_NET !$HOME_NET

Then, I launched some other attacks (No DoS and DDoS) from the same
computer (10.50.1.130) to a computer in my external network. Here, SNORT
didn't detect them....

However, my first idea was to set these two variables to be able to
detect attacks launched from:

        .my Home Net to my Home Net
        .the External net to my Home net

This is the reason why I set these variables to:
var HOME_NET 10.50.1.0/24
var EXTERNAL_NET any

And with this configuration, I have the problem that I decribed in my
previous emails...

Thus, I still don't understand why SNORT detects these DoS and DDoS
attacks that are launched from my home network to the external network,
even if my EXTERNAL_NET is configured as "any" or "!$HOME_NET"...

Somebody can tell me what is wrong please? :-/


> -----Original Message-----
> From: Daniel Lopez [mailto:dlopez () tct hut fi]
> Sent: Thursday, August 01, 2002 4:49 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] detect that shouldn't be detected!
>
>
> Hello,
>
> Currently, I'm doing some tests on Snort. I'm using two LANs. One
> recreates the External network. The network address is: 10.50.0.0/24.
> The second LAN is my home network. The network address is:
> 10.50.1.0/24
> They are interconnected via a router. I wanted to be able to
> get attacks
> going from the External network to my Home network, and attacks going
> from my Home network to the other computers in my Home network.
> The SNORT box is in the home network. Computers and SNORT box are
> connected through a HUB. I configured the HOME_NET and EXTERNAL_NET
> variables as follows:
>
> HOME_NET 10.50.1.0/24
>
> EXTERNAL_NET any
>
> However, when I launch an attack (Teardrop, NewTear) from my home
> network to the external network, SNORT detects it!! If I look the
> Teardrop rule, it is written this way:
>
> [...] $EXTERNAL_NET -> $HOME_NET [...]
>
> Thus, it only will be applied for traffic that goes from the
> External_Net to the Home_Net!
> I don't understand how it can detect it if the attack goes
> from my home
> network to the external network. Did I miss something?
>
> Thanks in advance for your help!
> Daniel Lopez
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users