Snort mailing list archives
Re: Home_net/External Net question
From: John Duksta <jduksta () gmail com>
Date: Thu, 9 Sep 2004 06:03:12 -0400
On Wed, 8 Sep 2004 13:34:53 -0700 (PDT), Seth Art <adidas30 () yahoo com> wrote:
Background: I have 2 firewalls, each monitoring 3 subnets. Subnets a, b, and c and VPN pool1 are going out/coming in though firewall one. Subnets d, e, and f and VPN pool2 are going out/coming in though firewall two. On my sensor inside of Firewall 1 HOME_NET is [a,b,c,vpnpool1] On my sensor inside of Firewall 2 HOME_NET is [d,e,f,vpnpool2] EXTERNAL_NET on both are !$HOME_NET a) keep the home_nets the same but make a new variable called entire_home_net and include all 6 subnets and both vpn pools and negate THAT for the external_net b) add subnets a-f and both vpn pools to the home_net var on each sensor (i don't think so)
With the way the majority of the stock snort rules are written (EXTERNAL_NET -> HOME_NET), option a and option b end up being essentially the same. For option a, if you have traffic going from net C to net F, it's not going to trigger a rule because you won't get an address match ( C -> F is HOME_NET to ENTIRE_HOME_NET, thus no match.) You're really going to have to make this determination based upon your security policy. Do you consider each environment (Nets A,B,C,VPN Pool1 and Nets D,E,F, VPN Pool 2) to be a threat to each other? Are there resources in each group that need to be kept separate or are these just two different sites, each with the same kind of users and security policy and traffic flowing freely between them? If the latter, I would recommend adding all your possible networks (A-F, VPN Pools 1 and 2) to your home net to reduce your FPs. HTH, -j -- John Duksta <jduksta () gmail com> Can't sleep, clowns will eat me. ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on Cisco 6509 Network Intern (Aug 30)
- Re: Snort on Cisco 6509 Rich Adamson (Aug 30)
- Home_net/External Net question Seth Art (Sep 08)
- Re: Home_net/External Net question John Duksta (Sep 09)
- Re: Home_net/External Net question Seth Art (Sep 09)
- Home_net/External Net question Seth Art (Sep 08)
- Re: Snort on Cisco 6509 Rich Adamson (Aug 30)
- <Possible follow-ups>
- RE: Snort on Cisco 6509 SN ORT (Aug 31)