Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Best External_Net setting

From: "Roy S. Rapoport" <snort-users () ols inorganic org>
Date: Thu, 22 May 2003 09:41:54 -0700
On Thu, May 22, 2003 at 08:36:25AM -0500, Stephen W. Thomas wrote:

I'm trying to find out what the pros and cons are to setting the
external_net variable to "!$home_net" instead of "any" on a client's
network.
 
The network is currently configured where the internet feeds a router
which feeds a firewall which feeds a Windows2k network. The network
consists of Web servers, DNS servers, Exchange servers, and file
servers. These are all on the same domain. Snort is monitoring that
domain. My boss is trying to get rid of all of the false hits it's
taking from inter-server traffic, so I thought that changing the
External_Net variable to "!$Home_Net" would do it. However, I'm afarid
if someone broke through the firewall, or spoofed an internal IP then
we wouldn't get any hits on it.
 
Does anyone have any thoughts on External_Net being defined as "any"
or "!$Home_Net"?


I'm hardly an expert on IDS functionality or Snort specifically, but my
stance is that I want to have Snort be reliable enough in terms of its
alerting and avoidance of false positives that I'll feel comfortable
responding vigorously to alerts.  Given that, I want to do everything to
avoid FPs.  Given that, I think you've got to change *something* --
whether it's the rules themselves or the definition of EXTERNAL_NET.

For me, I found that Snort was giving me tons of FPs because my SNMP
polling station was polling various devices via SNMP; since EXTERNAL_NET
was 'anything', the SNMP rules caught this polling and alerted me.  

The question then becomes what your priority is -- ease and simplicity
of management, or catching every possible badness.  For me, for example,
if I changed EXTERNAL to exclude HOME, I'd get rid of FPs at the cost
of not catching it if one of my other devices got compromised and
someone on it started trying to do SNMP polling.  Alternatively, if I
have the time and energy, I could make it so my rules are so specific
that they allow SNMP access *only* from my SNMP polling station; SSH
access *only* from the system that's allowed to do that, etc.

I personally, at least for now, chose to define EXTERNAL as !HOME.

-roy





-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: