Snort -h doesn't do what you think it does.

I've seen a lot of traffic recently of people trying to use "-h" on the Snort command line to specify the variable $HOME_NET, and it's generated a lot of confusion as of late, so I thought I better write about it.

If you look in the manual, every time -h is used, it's used with a network range, or an individual IP, and it's also used with -l, also only used with -vde (otherwise sniffer mode). It's not ever made clear exactly what -h actually does. Similarly if you type:

snort --help

on the command line the -h tag says:

-h Home network =

So, one might think that by doing a -h on the command line, it specifies the HOME_NET variable found in the snort.conf on the command line. Well, as you probably have guessed by now, this is not the case.

So here's the truth: -h actually has nothing to do with the HOME_NET as specified in the snort.conf file.

As we know,

var HOME_NET any

Will specify which direction traffic should be examined in terms of the rules within the detection engine.

var HOME_NET 192.168.0.0/16

In the snort.conf file is then filled in in all the rules that call $HOME_NET. This is not -h.

So, for example, the following rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Alert!"; content:"/content"; sid:10000001;)

In my Snort.conf

• var HOME_NET any


• var EXTERNAL_NET any

I get the following alert:

[**] [1:10000001:0] Alert! [**]

[Priority: 0]

03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80

TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF

***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32

TCP Options (3) => NOP NOP TS: 63957188 2272801581

If I define HOME_NET in the snort.conf

• var HOME_NET 192.168.0.0/16


• var EXTERNAL_NET any

I still get the alert, okay.

[**] [1:10000001:0] Alert! [**]

[Priority: 0]

03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80

TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF

***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32

TCP Options (3) => NOP NOP TS: 63957188 2272801581

If I define HOME_NET in the snort.conf as such:

• var HOME_NET 72.14.0.0/16


• var EXTERNAL_NET any

I don't get an alert, exactly as planned, now... I conduct the same test. Same rule.

• var HOME_NET any


• var EXTERNAL_NET any

In my snort.conf, but this time I am going to specify 192.168.0.0/16 in the -h command line tag.

[**] [1:10000001:0] Alert! [**]

[Priority: 0]

03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80

TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF

***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32

TCP Options (3) => NOP NOP TS: 63957188 2272801581

Exactly as before.

Now if I run -h with 72.14.0.0/16 at the command line I get the following alert

[**] [1:10000001:0] Alert! [**]

[Priority: 0]

03/29-16:57:47.361016 192.168.1.120:51968 -> 72.14.204.147:80

TCP TTL:64 TOS:0x0 ID:13360 IpLen:20 DgmLen:993 DF

***AP*** Seq: 0xC03BC58E Ack: 0x8B9BF8F5 Win: 0x822B TcpLen: 32

TCP Options (3) => NOP NOP TS: 63957188 2272801581

Where I should not have. So, no, it doesn't actually specify HOME_NET.

So if you are trying to specify HOME_NET, you need to do it in the snort.conf file.

-h, in fact, and after checking with development team and reading the code myself, -h corresponds to how packets are logged. (When using the old "log per directory" mode) However, this isn't very clear in the documentation, or in the --help file. So I've asked the developers to make this a bit more clear what -h does in the documentation as well as the code. It's pretty much only useful for Sniffer mode, not much for IDS mode.