Snort mailing list archives
Re: Regarding snort.conf HOME_NET and EXTERNAL_NET
From: Adam Hogan <ahogan () sourcefire com>
Date: Fri, 11 Nov 2011 07:52:06 -0500
On Thu, Nov 10, 2011 at 4:39 PM, Brandon Phelps <bphelps () gls com> wrote:
Hello, The default snort.conf indicates that you should leave EXTERNAL_NET as "any" in most situations. I already have HOME_NET set to [10.0.0.0/8] (my internal network) so would it be prudent to set EXTERNAL_NET to !$HOME_NET instead, or should I leave it as any? I would like to cut down on false positives and such as much as possible without the risk of losing any truly malicious alerts. I have seen other configuration examples that have EXTERNAL_NET set to negate HOME_NET, so I'm not sure which is best. Thanks, Brandon ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Brandon, If you set $EXTERNAL_NET to !$HOME_NET you would miss any attacks that originate in your network. If somebody brought malware into your office on their laptop it could spread around your network all day without firing an alert. If you want to see these kinds of alerts on this sensor then you should leave EXTERNAL_NET set to any. -- Adam W. Hogan
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Regarding snort.conf HOME_NET and EXTERNAL_NET Brandon Phelps (Nov 10)
- Re: Regarding snort.conf HOME_NET and EXTERNAL_NET Adam Hogan (Nov 11)