Re: Upgraded to 2.8.6 and external network addresses

[Nick Moore <nmoore () sourcefire com>]

James,

One more thing: I often recommend leaving EXTERNAL_NET as "any". That way if
a machine in your HOME_NET gets infected and starts to misbehave, you will
see more rules trigger. Many rules are written as "alert tcp $EXTERNAL_NET
any -> $HOME_NET someport ('msg...."

Happy Snorting!

Nick

On Thu, Apr 29, 2010 at 4:11 PM, James R. Marcus <jmarcus () edhance com>wrote:

> Yes I did misunderstand, thank you for posting the link, it was very
> helpful.
>
> James
>
>
> On Apr 29, 2010, at 4:56 PM, Burks, Doug wrote:
>
> > Hi James,
> >
> > I think you're misunderstanding the purpose of EXTERNAL_NET.  Quoting
> > from http://seclists.org/snort/2007/q1/3 :
> > "HOME_NET is a list of systems you are interested in protecting.
> > EXTERNAL_NET is a list of systems you are interested in protecting
> > HOME_NET from."
> >
> > Regards,
> > Doug Burks
> >
> > -----Original Message-----
> > From: James R. Marcus [mailto:jmarcus () edhance com]
> > Sent: Thursday, April 29, 2010 4:46 PM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Upgraded to 2.8.6 and external network addresses
> >
> > Hi,
> > Pretty new to Snort. I upgraded to 2.8.6 today and I'm running on Cent
> > OS 5.3 64-bit. In reality I didn't upgrade, I removed (not uninstalled)
> > all the Snort binaries from my system and then installed an RPM of
> > 2.8.6. I copied a fair amount of my configuration from the snort.conf of
> > my earlier version.  I specified my Web servers, telnet servers (phone
> > system), etc in the configuration.  Then I came to the EXTERNAL_NET
> > variable and looked at the IPs assigned to my routers. I added the the
> > CIDR nets we were assigned.  So now I'm getting a lot fewer alerts, is
> > that because of the additonal detail I provided for network services and
> > external networks?
> >
> > I know it says a good start may be "any" but is that because some people
> > don't know their external CIDR net?
> >
> >
> > There aren't my real IPs:
> >
> >
> > # Set up the external network addresses.  A good start may be "any"
> > var EXTERNAL_NET [67.89.243.208/28,64.112.133.96/27,66.47.194.100/30]
> >
> >
> >
> > Thanks,
> > James
> > ------------------------------------------------------------------------
> > ------
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com         www.snort.org

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users