Different HOME_NET variable for different interface
-
Hi, I am trying to configure different HOME_NET variables for each of my interfaces. I have 4 different networks on different but I also have multiple networks on 1 interface. When trying to configure aliases I can configure the aliases but I cannot see them in Snort. Any ideas?
Thanks -
To create a customized HOME_NET for an interface, you have to trick Snort a bit. First create your aliases for each local network interface. Then, for the interface that has multiple networks, you need to create a single alias and then put the other network aliases in it (in other words, "nest" those aliases).
Now go to the PASS LISTS tab and create a new custom Pass List. You can either leave the various parameters at their default or customize them a bit. I suggest leaving the defaults. At the bottom of the page is an Address text box. Begin to type the name of the network alias you created for a given interface and it should auto-populate the field. For the interface with multiple networks, be sure to use your nested alias. Save the new Pass List (which you are actually going to use as a HOME_NET list in the next step).
Now go to the INTERFACE where you want a custom HOME_NET. In the drop-down next to HomeNet, choose the appropriate list. Save the change and restart Snort on that interface.
Make sure you fully understand what HOME_NET is all about because if you get it populated incorrectly, a number of Snort rules will be rendered useless! In most cases there is no need to change the default values.
-
@bmeeks
Thank you, exactly what I was looking for
