Snort mailing list archives
EXTERNAL_NET: any vs !$HOME_NET
From: "Hari Sekhon" <hpsekhon () googlemail com>
Date: Mon, 1 Jan 2007 17:36:13 +0000
I've currently got "var EXTERNAL_NET any" in my snort.conf and was considering making it "var EXTERNAL_NET !$HOME" instead, but looking at the rules files, it seems that most rules will immediately disregard any suspicious traffic from your HOME_NET in this case, which basically blinds you to any internal threats. I am also running snort on several servers that are not publicly accessible (ie port forwards) but want to be able to see malicious or suspicious traffic from all networks. The current problem with the EXTERNAL_NET any is that a lot of rules are throwing up too many false positives and it's very difficult to go around writing pass rules for every other packet that goes through the network interface (I exaggerate slightly) It's seems a very difficult juggling act to on the one hand stop false positives and on the other to not totally negate the worth of the ids by making it too loose. For example I have stacks of "MS Terminal server request RDP" alerts coming from machines on my home net. I can see how changing the EXTERNAL_NET would be a good idea to stop these unless they come from outside the network, but considering that this also stops most rules from matching if somebody attacks from a machine within the building or any remote site connected via vpn (which are included in HOME_NET and therefore excluded from EXTERNAL_NET) Anybody got any advise on this? -- Hari Sekhon ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- EXTERNAL_NET: any vs !$HOME_NET Hari Sekhon (Jan 01)
- Re: EXTERNAL_NET: any vs !$HOME_NET Jason Brvenik (Jan 01)
- Re: EXTERNAL_NET: any vs !$HOME_NET Hari Sekhon (Jan 01)
- Re: EXTERNAL_NET: any vs !$HOME_NET Jason Brvenik (Jan 01)
- Re: EXTERNAL_NET: any vs !$HOME_NET Hari Sekhon (Jan 01)
- Re: EXTERNAL_NET: any vs !$HOME_NET Jason Brvenik (Jan 01)