|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] $HOME_NET
From: Erek Adams (erek
snort.org)
Date: Sun Apr 06 2003 - 15:12:38 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, 6 Apr 2003, Keg wrote:
> I guess I miss something.......
> I have 3 network segments #1, #2, and #3. $HOME_NET is set to #1.
> When I scan #1 with Nessus I get a lot of alerts logged.
> When I scan #2 with Nessus I get just a little bit of alerts
> When I add #2 to $HOME_NET (so it looks like $HOME_NET [#1/24,#2/24) I
> 'm starting to get a lot of alerts.
>
> Hence 2 questions:
> 1. Is there any difference how snort treats netwqorks if they are not
> included in $HOME_NET?
> 2. Should I include all network segments I have in $HOME_NET?
When you're refering to portscans, are you refering to the one of the
portscan preprocessors, stream4 or some of the rules? $HOME_NET has
nothing to do with any of those except for the rules.
Where are you scanning _from_? If you're scanning from inside of #1, then
you won't see any alerts from the rules, but you may see them from one of
the preprocessors.
-----
Erek Adams
"When things get weird, the weird turn pro." H.S. Thompson
-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]