detect that shouldn't be detected!

["Daniel Lopez" <dlopez () tct hut fi>]

Hello,

Currently, I'm doing some tests on Snort. I'm using two LANs. One
recreates the External network. The network address is: 10.50.0.0/24.
The second LAN is my home network. The network address is: 10.50.1.0/24
They are interconnected via a router. I wanted to be able to get attacks
going from the External network to my Home network, and attacks going
from my Home network to the other computers in my Home network.
The SNORT box is in the home network. Computers and SNORT box are
connected through a HUB. I configured the HOME_NET and EXTERNAL_NET
variables as follows:

HOME_NET 10.50.1.0/24

EXTERNAL_NET any

However, when I launch an attack (Teardrop, NewTear) from my home
network to the external network, SNORT detects it!! If I look the
Teardrop rule, it is written this way:

[...] $EXTERNAL_NET -> $HOME_NET [...]

Thus, it only will be applied for traffic that goes from the
External_Net to the Home_Net!
I don't understand how it can detect it if the attack goes from my home
network to the external network. Did I miss something?

Thanks in advance for your help!
Daniel Lopez




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users