[Oisf-users] Discrepancies in Snort and Suricata alerts

Travis Green travis at travisgreen.net
Fri Oct 5 17:01:40 UTC 2018


In my environment, it appeared that I was able to reproduce the problem.
Then, in troubleshooting, I modified the rule in question to remove
$HOME_NET and replace with "any" and the rule fires:

alert http any any -> $EXTERNAL_NET any (msg:"ET MALWARE SearchProtect
<snip>

Fatima, this might be worth double checking this in your environment.

-T

references:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L15

ipvar HOME_NET any
https://github.com/jasonish/snort/blob/master/etc/snort.conf#L45
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181005/70ed7796/attachment.html>


More information about the Oisf-users mailing list