Snort mailing list archives
Re: Best External_Net setting
From: Erek Adams <erek () snort org>
Date: Thu, 22 May 2003 10:35:16 -0400 (EDT)
On Thu, 22 May 2003, Stephen W. Thomas wrote:
I'm trying to find out what the pros and cons are to setting the external_net variable to "!$home_net" instead of "any" on a client's network. The network is currently configured where the internet feeds a router which feeds a firewall which feeds a Windows2k network. The network consists of Web servers, DNS servers, Exchange servers, and file servers. These are all on the same domain. Snort is monitoring that domain. My boss is trying to get rid of all of the false hits it's taking from inter-server traffic, so I thought that changing the External_Net variable to "!$Home_Net" would do it. However, I'm afarid if someone broke through the firewall, or spoofed an internal IP then we wouldn't get any hits on it. Does anyone have any thoughts on External_Net being defined as "any" or "!$Home_Net"?
These are only my opinions... With using 'any' you have the widest coverage possible. Snort would examine each and every packet to see if there was a rule match. There's also the huge increase in false positives that you have to contend with. By swaping over to use !$HOME_NET you limit the amount of data, which does a few things: Makes Snort faster, Cut down on False Postives and reduce memory useage. With fewer checks to make (all IP's vs all IP's minus some), Snort will process packets more quickly. This may only be an issue if you are on at a high utilization site. If you're worried about missing things, then add a few rules that catch 'wierd stuff'. Something like: alert ip $WEB_SERVERS any -> $EXTERNAL_NET any (msg:"Outgoing SYN from the webserver!"; flags:S;) Since nothing in WEB_SERVERS should initiate an outgoing connection. You can massage that to work for other servers as needed. For some more examples check the archives under 'anomaly detection' [0]. There's been some discussion about how to use standard Snort rules to detect 'wierd things'. Is there a perfect setting? Nope. Is there one that might work for you? Yep. :) Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://marc.theaimsgroup.com/?l=snort-users&w=2&r=1&s=anomaly+detection&q=b http://marc.theaimsgroup.com/?t=104504313900002&r=1&w=2 http://marc.theaimsgroup.com/?l=snort-users&m=104547413832200&w=2 ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Best External_Net setting Stephen W. Thomas (May 22)
- Re: Best External_Net setting Erek Adams (May 22)
- Re: Best External_Net setting Roy S. Rapoport (May 22)