Snort mailing list archives
Re: Best External_Net setting
From: "Roy S. Rapoport" <snort-users () ols inorganic org>
Date: Thu, 22 May 2003 09:41:54 -0700
On Thu, May 22, 2003 at 08:36:25AM -0500, Stephen W. Thomas wrote:
I'm trying to find out what the pros and cons are to setting the external_net variable to "!$home_net" instead of "any" on a client's network. The network is currently configured where the internet feeds a router which feeds a firewall which feeds a Windows2k network. The network consists of Web servers, DNS servers, Exchange servers, and file servers. These are all on the same domain. Snort is monitoring that domain. My boss is trying to get rid of all of the false hits it's taking from inter-server traffic, so I thought that changing the External_Net variable to "!$Home_Net" would do it. However, I'm afarid if someone broke through the firewall, or spoofed an internal IP then we wouldn't get any hits on it. Does anyone have any thoughts on External_Net being defined as "any" or "!$Home_Net"?
I'm hardly an expert on IDS functionality or Snort specifically, but my stance is that I want to have Snort be reliable enough in terms of its alerting and avoidance of false positives that I'll feel comfortable responding vigorously to alerts. Given that, I want to do everything to avoid FPs. Given that, I think you've got to change *something* -- whether it's the rules themselves or the definition of EXTERNAL_NET. For me, I found that Snort was giving me tons of FPs because my SNMP polling station was polling various devices via SNMP; since EXTERNAL_NET was 'anything', the SNMP rules caught this polling and alerted me. The question then becomes what your priority is -- ease and simplicity of management, or catching every possible badness. For me, for example, if I changed EXTERNAL to exclude HOME, I'd get rid of FPs at the cost of not catching it if one of my other devices got compromised and someone on it started trying to do SNMP polling. Alternatively, if I have the time and energy, I could make it so my rules are so specific that they allow SNMP access *only* from my SNMP polling station; SSH access *only* from the system that's allowed to do that, etc. I personally, at least for now, chose to define EXTERNAL as !HOME. -roy ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Best External_Net setting Stephen W. Thomas (May 22)
- Re: Best External_Net setting Erek Adams (May 22)
- Re: Best External_Net setting Roy S. Rapoport (May 22)