Snort mailing list archives
RE: HOME_NET and EXTERNAL_NET
From: "Joe Patterson" <jpatterson () asgardgroup com>
Date: Wed, 1 Dec 2004 18:22:52 -0500
These are all coming from the http_inspect preprocessor, which doesn't care about HOME_NET or EXTERNAL_NET. There are several ways you could deal with this. I'm not necessarily suggesting them, but you could do it... put a bpf filter on snort, along the lines of 'not src net 192.168.0.0/16', or a bunch more filter expressions to whittle it down to only the sources you want to exclude. suppress all sid's for this generator. include lines for each sid along the lines of: suppress gen_id 119, sig_id 13, track by-src, ip 192.168.0.0/16 Of course, you could always not run the http_inspect preprocessor, but that would definitely be a bad idea.
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of JAMIE CRAWFORD Sent: Wednesday, December 01, 2004 5:15 PM To: tslighter () itc nrcs usda gov Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] HOME_NET and EXTERNAL_NET Thanks for the information everyone. I'll try this out. Here are the most common alerts in a half a second span. thanks again, jamie [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] 12/01-16:05:13.083149 192.168.53.169:4536 -> 207.188.24.156:80 TCP TTL:126 TOS:0x0 ID:58566 IpLen:20 DgmLen:1114 DF ***AP*** Seq: 0x5337F75E Ack: 0x41F6E98F Win: 0xFAF0 TcpLen: 20 [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**] 12/01-16:05:13.163773 192.168.170.64:3686 -> 192.168.253.3:80 TCP TTL:126 TOS:0x0 ID:36746 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x2ED5003C Ack: 0xE43B1645 Win: 0x4470 TcpLen: 20 [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**] 12/01-16:05:13.309453 192.168.186.71:4887 -> 64.94.137.55:80 TCP TTL:126 TOS:0x0 ID:46539 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x7EE9A60D Ack: 0x5236B9F4 Win: 0x4470 TcpLen: 20 [**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**] 12/01-16:05:13.313225 192.168.170.64:3688 -> 192.168.253.3:80 TCP TTL:126 TOS:0x0 ID:36769 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x39DAAF24 Ack: 0xE3A153A3 Win: 0x4470 TcpLen: 20 [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] 12/01-16:05:13.404388 192.168..48.117:4195 -> 206.190.44.82:80 TCP TTL:126 TOS:0x0 ID:6660 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xC40EB62C Ack: 0xA76456C1 Win: 0xF9A7 TcpLen: 20Tim Slighter <tslighter () itc nrcs usda gov> 12/01/04 04:42PM >>>It might help too to tell us what alerts are firing off for this particular config. Many SNMP, WEB, and other rules files will fire off alerts for the $HOME_NET whenever a connection is either intitiated outbound or if a valid incoming connection dynamically uses a port that fires a backdoor.rules TCP/UDP port JAMIE CRAWFORD wrote:Hi, I'm a little frustrated on getting snort setup right. I have my var HOME_NET [192.168.1.0/24,192.168.2.0/24] and my var EXTERNAL_NET [!192.168.0.0/16], but for some reason I'm still getting alertscomingfrom my own home networks class b address (192.168.0.0/16). I don'tcareabout my class b, just attacks made toward my two class c networks. I've tried var EXTERNAL_NET !192.168.0.0/16 I've tried var EXTERNAL_NET ![192.168.0.0/16] any help is appreciated. thanks, jamie ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from realusers.Discover which products truly live up to the hype. Start reading now.http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- RE: HOME_NET and EXTERNAL_NET M. Shirk (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- Re: HOME_NET and EXTERNAL_NET M. Shirk (Dec 02)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- <Possible follow-ups>
- RE: HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- RE: HOME_NET and EXTERNAL_NET Paul Schmehl (Dec 01)
- Re: HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Matt Kettler (Dec 01)
- RE: HOME_NET and EXTERNAL_NET Joe Patterson (Dec 01)
- HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 02)
- RE: HOME_NET and EXTERNAL_NET M. Shirk (Dec 01)