How to configure Snort HOME_NET

Snort rules use network variables to decide which side of a packet belongs to the protected environment. Setting HOME_NET in snort.lua keeps inbound, outbound, and local rules aligned with the networks the sensor is meant to defend instead of treating every address as protected.

In Snort 3 source installs, HOME_NET and EXTERNAL_NET are set near the top of /usr/local/etc/snort/snort.lua before snort_defaults.lua is included. The default ips policy then exposes those values through default_variables so rule headers using $HOME_NET and $EXTERNAL_NET can compile.

Use CIDR blocks owned or monitored by the sensor. A single protected network can be written directly, while multiple networks need a bracketed list; EXTERNAL_NET can stay broad or exclude HOME_NET depending on whether local and east-west sources should remain in scope.

Related: How to test Snort configuration
Related: How to enable a Snort ruleset

Steps to configure Snort HOME_NET:

  1. Open the main Snort Lua configuration. 
    $ sudoedit /usr/local/etc/snort/snort.lua
  2. Find the default network variables before snort_defaults.lua is included. 
    -- HOME_NET and EXTERNAL_NET must be set now
HOME_NET = 'any'
 
-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = 'any'
 
include 'snort_defaults.lua'
  3. Set HOME_NET to the protected CIDR block and choose the EXTERNAL_NET boundary. 
    HOME_NET = '192.0.2.0/24'
 
-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = '!$HOME_NET'
 
include 'snort_defaults.lua'

    Replace 192.0.2.0/24 with the network this sensor protects. Use HOME_NET = '[192.0.2.0/24,198.51.100.0/24]' when one sensor protects multiple routed networks. Keep EXTERNAL_NET = 'any' when internal or east-west sources should still match rules.

  4. Confirm the ips policy still uses default_variables. 
    ips =
{
    variables = default_variables
}

    Leave any existing include entry in the same table when the ruleset is already enabled. Removing variables = default_variables can make rules that reference $HOME_NET or $EXTERNAL_NET fail to compile.

  5. Test the edited Snort configuration. 
    $ sudo snort -c /usr/local/etc/snort/snort.lua -T
--------------------------------------------------
o")~   Snort++ 3.12.2.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
##### snipped #####
pcap DAQ configured to passive.
 
Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

    Related: How to test Snort configuration

  6. Replay known traffic against a rule that references $HOME_NET. 
    $ sudo snort -q -c /usr/local/etc/snort/snort.lua \
    -R /usr/local/etc/snort/rules/local.rules \
    -r home-net-test.pcap -k none -A alert_fast
06/25-09:15:00.000000 [**] [1:1000008:1] "LOCAL HOME_NET test" [**] [Priority: 0] {TCP} 198.51.100.10:49152 -> 192.0.2.25:8080

    Use a local rule and pcap that target the protected address range for the sensor. -k none is useful for lab-generated pcaps that contain checksum metadata the host did not calculate.
    Related: How to create a local Snort rule
    Related: How to run Snort against a packet capture

  7. Restart the running Snort service after validation and replay checks pass. 
    $ sudo systemctl restart snort

    Use the service name and run command from the local deployment if Snort is not managed by a snort.service unit.
    Related: How to create a Snort systemd service