Snort mailing list archives

Re: Does setting HOME_NET have any effect in Stealth mode?

From: Rob Ward <rob.ward () liverpool ac uk>
Date: Tue, 02 Nov 2004 15:43:37 +0000

--On 02 November 2004 23:36 +0800 Michael Boman <michael.boman () gmail com>wrote:

On Tue, 02 Nov 2004 15:09:32 +0000, Rob Ward <rob.ward () liverpool ac uk>
wrote:

Hi Michael,

--On 02 November 2004 23:02 +0800 Michael Boman <michael.boman () gmail com>
wrote:



> On Tue, 02 Nov 2004 13:05:26 +0000, Rob Ward <rob.ward () liverpool ac uk>
> wrote:
>> When I set "HOME_NET" to anything other than 'any' I no longer see any
>> DOS or DDOS alerts but P2P alerts are still output. I've tried
>> following the configuration examples in the FAQ's etc and can't get
>> it to work. I'm wondering if HOME_NET has any relevance when running
>> snort in 'stealth' or am I wide of the mark?
>
> HOME_NET is used to define the network you are interesting to monitor,
> and your snort box being in stealth mode or not has nothing to do with
> it.

That's what I find strange - when I set HOME_NET to the network I want to
monitor the DOS alerts are no longer output?


Are you recieving/sending traffic that would trigger a propperly
configured ids rule?

Definately, it's monitoring our student halls network. We've acted on thealerts in the past and always found the hosts to be compromised in some way.

>
>> Also - can snort cope with variable length subnet masks?
>
> Please explain what you mean.
>

For example:

var HOME_NET [138.253.82.0/23 , 138.253.160.0/22]


I hope you misquoted that, if not please remove the spaces like this:

var HOME_NET [138.253.82.0/23,138.253.160.0/22]

and yes, it does support that (but remember to remove the spaces in
the address list)

Funnily enough the way I wrote it above with spaces was taken from theFAQ's on snort.org! I've tried it your way as well with no success, it'sweird and only seems to affect the DOS and DDOS alerts and we still seeloads for P2P.


Best regards
 Michael Boman


Thanks

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department

Tel: 0151 794 4449
Fax: 0151 794 4442
Mob: 07970 247 326


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
- Re: Does setting HOME_NET have any effect in Stealth mode? Michael Boman (Nov 02)
  - Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
    - Re: Does setting HOME_NET have any effect in Stealth mode? Michael Boman (Nov 02)
    - Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 02)
  - Re: Does setting HOME_NET have any effect in Stealth mode? Alex Butcher, ISC/ISYS (Nov 04)
- Re: Does setting HOME_NET have any effect in Stealth mode? Alex Butcher, ISC/ISYS (Nov 03)
  - Re: Does setting HOME_NET have any effect in Stealth mode? Rob Ward (Nov 03)
    - Re: Does setting HOME_NET have any effect in Stealth mode? Alex Butcher, ISC/ISYS (Nov 03)