Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 030242.html (Request Expert snort.org Support)

[Snort-sigs] Question about defining the home_net

From: Randle, Tommie (Contractor) <RandleT(at)pac.disa.mil>
Date: Wed Mar 26 2003 - 13:35:08 EST

All:

I have the responsibility to monitor (with snort) a humungus system that has some IDSs on links with multiple -- and ever changing -- ipnetworks. I am trying to build a homenet based on these IP ranges, but find it very difficult to first investigate and keep it up to date...... I was wondering if the following senario is valid --- or if it has been considered as an easy way to define a subnet: 

                                     (mac)
(mac)
      OUTSIDE  ROUTER
-------------------------------------------------------------INNER ROUTER
(home_net)  -----> various subrouters and ip-ranges

                                                              |

                                                              |

                                                              | 

                                                              |

                                                              |

                                                    IDS (Running Snort)

    Would it be possible to identify the HOME_NET using the mac address of the inner router. Every packet that I look at with snort lists the mac address of the two routers. It would be very easy way to identify a home net without having to maintain a detailed list for all the suborganizations and ip ranges that they use. When I looked at the snort documentation, there is an option to the the Ethernet address of the IDS itself as the homenet, but in many cases, the IDS is setting quietly to the side and is using its internal IPs (127.0.0.X) to keep from advertising it's presence.

     If this option is already available, can you give me a short description of the proper way to set it up.

     If this option is not available, can you consider making it an option in future releases.

v/r
Tommie T. Randle
DISA-PAC CERT
808-456-0948/9
randlet@pac.disa.mil


This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed Mar 26 17:44:22 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:26 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library