RE: Followup to HOME_NET and EXTERNAL_NET

["Don" <Don () WeberOnTheWeb com>]

first i'd suggest setting up your dns servers under the dns_servers variable
as such
var DNS_SERVERS [192.168.0.1/32,192.168.0.2/32]

keep your home_net as is as well as your external_net as !home_net, you can
setup your alerts to ignore $dns_servers.
one question i have, as far as you getting nothing but dns zone transfers,
do you or have you ever got any other alerts. I'd suggest before saying your
not getting alerts and start changing things around, that you do a noisy
portscan from externally to see if you are getting anything, you may just be
getting lucky and not scanned or have any actions against you which is
possible, or your sensor may not be configured on a port that can see any
other traffic, be sure you can see other traffic first. then start with the
variables, for testing purposes make
var home_net any
var external_net any

then do a noisy scan from externally somewhere to first your system, and
then scan another box on your net, making sure you can see both scans from
your sensor

good luck

don

> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net
> > [mailto:snort-users-admin () lists sourceforge net]On Behalf Of John Lathem
> > Sent: Wednesday, November 06, 2002 7:23 AM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Followup to HOME_NET and EXTERNAL_NET
> >
> >
> >
> > I've changed my HOME_NET to match my IP ranges, like this:
> >
> >     var HOME_NET [x.x.x.160/27,x.x.x.32/27,192.168.x.0/24]
> >     var EXTERNAL_NET any
> >
> > This is two internet connections, plus the internal network.  However, I
> > still get DNS Zone Tranfers logged between my two internet interfaces.
> > The DNS Zone Transfer rule indicates that it would log packets from
> > EXTERNAL_NET to HOME_NET, but both are in HOME_NET.
> >
> > When I set :
> >
> >     var EXTERNAL_NET !$HOME_NET
> >
> > I don't get any alerts logged anymore, except these zone transfers.
> >
> > Thanks!
> >
> > ---
> > John Lathem  <lathem () z-space com>
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: See the NEW Palm
> > Tungsten T handheld. Power & Color in a compact size!
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=ort-users



-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users