Snort mailing list archives
Re: Doubt about configuration HOME, EXTERNAL.
From: Agus <agus.262 () gmail com>
Date: Sun, 9 Jun 2013 19:41:58 -0300
Thanks Shane for your time! Will try to do some pcaps.. 2013/6/6 Morris, Shane (US SSA) <shane.morris () baesystems com>
Agus,**** ** ** When you’re watching traffic leaving your network you’re looking for things like users going to infected sites, CNC, bad domains/IPs, data exfil, etc It’s just as important as watching the noise banging off your web servers.**** ** ** If your net is just the /24 than I think your variables are correct. The rules would header would be HOME_NET -> EXTERNAL_NET. Also Snort default HTTP_PORTS variable includes proxy ports so you can catch your users going to the net through a proxy port.**** ** ** The best thing to do is run some dumps on your listening port/s and analyze the traffic along with some accurate net diags.**** ** ** ** ** ** ** ** ** *From:* Agus [mailto:agus.262 () gmail com] *Sent:* Wednesday, June 05, 2013 9:54 AM *To:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] Doubt about configuration HOME, EXTERNAL.**** ** ** Any link, tip is appreciated.**** ** ** Thanks**** ** ** 2013/6/4 Agus <agus.262 () gmail com>**** Hi guys,**** ** ** I have a subnet that connects to a client Network. They asked me to implement an IDS. Si i built snort/snorby/PP**** ** ** This is an unusual, at least for me, place as i am supposed to monitor the traffic going away from my net to the other, instead of what it is more common that i monitor incoming traffic to my severs.**** ** ** So my doubt is how should i configure the Network variables.**** ** ** My net = 10.11.0.0/24 - HOME_NET**** Client = !HOME_NET - EXTERNAL_NET**** ** ** That is the approach i took. the same as if the servers were on my net; but that aint the case as i have the clients/users on my NET, and all services(web, proxy, inet) are on their side. I was thinking on swapping the values.**** ** ** Thanks for any tip you can provide!**** Cheers**** ** **
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Doubt about configuration HOME, EXTERNAL. Agus (Jun 04)
- Re: Doubt about configuration HOME, EXTERNAL. Agus (Jun 05)
- Re: Doubt about configuration HOME, EXTERNAL. Morris, Shane (US SSA) (Jun 06)
- Message not available
- Re: Doubt about configuration HOME, EXTERNAL. Agus (Jun 09)
- Re: Doubt about configuration HOME, EXTERNAL. Agus (Jun 05)