Snort mailing list archives
Re: home_net
From: Phil Wood <cpw () lanl gov>
Date: Fri, 8 Mar 2002 17:33:13 -0700
Well you have probably pissed of these guys:
% whois 215.124.175.132
DoD Network Information Center (NETBLK-DDN-NIC16)
7990 Boeing Court M/S CV-50
Vienna, VA 22183
US
Netname: DDN-NIC16
Netblock: 215.0.0.0 - 215.255.255.255
Maintainer: DNIC
Coordinator:
DoD, Network (MIL-HSTMST-ARIN) HOSTMASTER () NIC MIL
(703) 676-1051 (800) 365-3642 (FAX) (703) 676-1749
Domain System inverse mapping provided by:
AAA-VIENNA.NIPR.MIL 207.132.116.60
AAA-KELLY.NIPR.MIL 199.252.162.251
AAA-WHEELER.NIPR.MIL 199.252.180.251
AAA-VAIHINGEN.NIPR.MIL 199.252.154.251
You might want to stop with the "Devil may care" attitude.
On Fri, Mar 08, 2002 at 04:17:46PM -0500, Basil Saragoza wrote:
THanks for the warning, address I posted only looks real, it is not my firewall, and I beleive nobody's else :-) ----- Original Message ----- From: "John Sage" <jsage () finchhaven com> To: "Basil Saragoza" <snortlst () hotmail com> Cc: <snort-users () lists sourceforge net> Sent: Friday, March 08, 2002 1:28 PM Subject: Re: [Snort-users] home_netOn Fri, Mar 08, 2002 at 12:30:43PM -0500, Basil Saragoza wrote:When I set home_net in snort.conf to ip address of my firewalleverything isfine. When I set it to 215.124.175.132/26 then I see onl;y ICMP traffic..... (external_net set to any) Any reason for such behaviour on snort? What is the correlation between home_net and external_net?Several thoughts: 1) I would **never** actually post a live IP address, or IP address range to a mail list -- obfuscate it -- we don't need to know the actual IP address you've got to work with, and neither does anyone else... 2) 215.124.175.132/26 corresponds to this: Address: 215.124.175.132 11010111.01111100.10101111.10 000100 Netmask: 255.255.255.192 == 26 11111111.11111111.11111111.11 000000 => Network: 215.124.175.128/26 11010111.01111100.10101111.10 000000(Class C)Broadcast: 215.124.175.191 11010111.01111100.10101111.10 111111 HostMin: 215.124.175.129 11010111.01111100.10101111.10 000001 HostMax: 215.124.175.190 11010111.01111100.10101111.10 111110 Hosts/Net: 62 the (useable) netblock from HostMin: 215.124.175.129 to a HostMax: 215.124.175.190 for a total of 62 hosts. Is this what you're intending to do? I have no idea as to why this (the *only*..?) change would suddenly result in your seeing only icmp traffic. Is this the only change you've made? - John -- Most people don't type their own logfiles; but, what do I care?_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HOME_NET Basil Saragoza (Feb 21)
- <Possible follow-ups>
- Re: HOME_NET Scott Taylor (Feb 21)
- HOME_NET NoLiMiT1961 (Mar 06)
- home_net Basil Saragoza (Mar 08)
- Re: home_net John Sage (Mar 08)
- Re: home_net Basil Saragoza (Mar 08)
- Re: home_net Phil Wood (Mar 08)
- Re: home_net John Sage (Mar 08)
- Re: home_net John Sage (Mar 08)