HOME_NET Definition


New Life Form
Hi All,

I hope someone can help me identify where HOME_NET is defined within USM. We have a load of false positive alarms generated between internal assets where the alarm rule is "alert tcp $HOME_NET any -> $EXTERNAL_NET any".

In all cases, both the source and destination assets are assigned to a Network as defined through the Assets and Groups section, as well as the IP ranges associated with each of the assets being defined as monitored networks on their respective sensor.


Best Answers


  • If i have two different physical locations in which i have a Server appliance + remote sensor respectably... Would it be a good practice to add ALL networks to the HOME_NET on each server/sensor rather than their local networks they are reciving that from alone?
  • no, you have to think about what your're monitoring, what you want to protect, which networks.

    users home nets versus server home nets
    critical assets home nets versus other servers home nets
  • @ol.batard for your response.

    i have 3 subnets with ONLY servers on them

    2 subnets in location A sending logs to its local USM server

    1 subnet in Location B sending logs to its local USM sensor.

    What im asking if its ok to add all those 3 subnets in both Server and sensors rather than only the networks they are supposed to receive data from locally. (I should clarify that both locations A and B talk to each other as well, so there is traffic coming and going between them)
