Snort mailing list archives
Re: Upgraded to 2.8.6 and external network addresses
From: Nick Moore <nmoore () sourcefire com>
Date: Thu, 29 Apr 2010 17:07:47 -0500
James, One more thing: I often recommend leaving EXTERNAL_NET as "any". That way if a machine in your HOME_NET gets infected and starts to misbehave, you will see more rules trigger. Many rules are written as "alert tcp $EXTERNAL_NET any -> $HOME_NET someport ('msg...." Happy Snorting! Nick On Thu, Apr 29, 2010 at 4:11 PM, James R. Marcus <jmarcus () edhance com>wrote:
Yes I did misunderstand, thank you for posting the link, it was very helpful. James On Apr 29, 2010, at 4:56 PM, Burks, Doug wrote:Hi James, I think you're misunderstanding the purpose of EXTERNAL_NET. Quoting from http://seclists.org/snort/2007/q1/3 : "HOME_NET is a list of systems you are interested in protecting. EXTERNAL_NET is a list of systems you are interested in protecting HOME_NET from." Regards, Doug Burks -----Original Message----- From: James R. Marcus [mailto:jmarcus () edhance com] Sent: Thursday, April 29, 2010 4:46 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Upgraded to 2.8.6 and external network addresses Hi, Pretty new to Snort. I upgraded to 2.8.6 today and I'm running on Cent OS 5.3 64-bit. In reality I didn't upgrade, I removed (not uninstalled) all the Snort binaries from my system and then installed an RPM of 2.8.6. I copied a fair amount of my configuration from the snort.conf of my earlier version. I specified my Web servers, telnet servers (phone system), etc in the configuration. Then I came to the EXTERNAL_NET variable and looked at the IPs assigned to my routers. I added the the CIDR nets we were assigned. So now I'm getting a lot fewer alerts, is that because of the additonal detail I provided for network services and external networks? I know it says a good start may be "any" but is that because some people don't know their external CIDR net? There aren't my real IPs: # Set up the external network addresses. A good start may be "any" var EXTERNAL_NET [67.89.243.208/28,64.112.133.96/27,66.47.194.100/30] Thanks, James ------------------------------------------------------------------------ ------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Nick Moore, SFCE, CISSP, CISA Sr. Systems Engineer Voice 708-336-9041 Email nick.moore () sourcefire com IM nickgmoore (Yahoo) nickgmoore38 (AIM) ,,_ o" )~ Sourcefire - The Creators of Snort '''' www.sourcefire.com www.snort.org
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Alternative to BASE, (continued)
- Re: Alternative to BASE Kevin Johnson (Apr 28)
- Re: Alternative to BASE Curt Shaffer (Apr 28)
- Re: Alternative to BASE Kevin Johnson (Apr 28)
- Re: Alternative to BASE Curt Shaffer (Apr 28)
- Re: Alternative to BASE Stephen Mullins (Apr 28)
- Re: Alternative to BASE Jeff Kell (Apr 28)
- Re: Alternative to BASE Bamm Visscher (Apr 28)
- Re: Alternative to BASE Stephen Mullins (Apr 28)
- Upgraded to 2.8.6 and external network addresses James R. Marcus (Apr 29)
- Re: Upgraded to 2.8.6 and external network addresses Burks, Doug (Apr 29)
- Re: Upgraded to 2.8.6 and external network addresses James R. Marcus (Apr 29)
- Re: Upgraded to 2.8.6 and external network addresses Nick Moore (Apr 29)
- Re: Alternative to BASE Jeff Kell (Apr 28)
- Re: Alternative to BASE Kevin Johnson (Apr 28)