Snort mailing list archives
Re: $HOME_NET
From: Erek Adams <erek () snort org>
Date: Sun, 6 Apr 2003 15:12:38 -0500 (EST)
On Sun, 6 Apr 2003, Keg wrote:
I guess I miss something....... I have 3 network segments #1, #2, and #3. $HOME_NET is set to #1. When I scan #1 with Nessus I get a lot of alerts logged. When I scan #2 with Nessus I get just a little bit of alerts When I add #2 to $HOME_NET (so it looks like $HOME_NET [#1/24,#2/24) I 'm starting to get a lot of alerts. Hence 2 questions: 1. Is there any difference how snort treats netwqorks if they are not included in $HOME_NET? 2. Should I include all network segments I have in $HOME_NET?
When you're refering to portscans, are you refering to the one of the portscan preprocessors, stream4 or some of the rules? $HOME_NET has nothing to do with any of those except for the rules. Where are you scanning _from_? If you're scanning from inside of #1, then you won't see any alerts from the rules, but you may see them from one of the preprocessors. ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- $HOME_NET Keg (Apr 06)
- Re: $HOME_NET Erek Adams (Apr 06)
- Re: $HOME_NET Keg (Apr 07)
- Re: $HOME_NET Erek Adams (Apr 07)
- Re: $HOME_NET Keg (Apr 07)
- Re: $HOME_NET Erek Adams (Apr 08)
- Re: $HOME_NET Keg (Apr 08)
- Re: $HOME_NET Erek Adams (Apr 08)
- Re: $HOME_NET Keg (Apr 08)
- Re: $HOME_NET Keg (Apr 07)
- Re: $HOME_NET Erek Adams (Apr 06)
- <Possible follow-ups>
- RE: $HOME_NET Snow Jacob C KPWA (Apr 09)