Re: HOME_NET and EXTERNAL_NET question

[John Sage <jsage () finchhaven com>]

Kresna:

I would say that you want to set your $HOME_NET and $EXTERNAL_NET
correctly for your network topology, and accomplish what you're
*really* trying to do with rules, maybe in local.rules.

There, establish rules that look at traffic outbound, thus:

alert tcp $HOME_NET -> $EXTERNAL_NET 10101 (msg:"SCAN myscan"; \
 ttl: >220; ack: 0; flags: S;reference:arachnids,439; \
 classtype:attempted-recon; sid:613; rev:1;)

Note that this is only an example, but that the source and
destinations are flipped from the original rule in scan.rules.


HTH..

- John

-- 
Most people don't type their own logfiles;  but, what do I care?



On Fri, Feb 08, 2002 at 03:45:10PM -0800, Kresna Prawira wrote:
> If I want to monitor traffic originated both from inside network and
> external network, what  is the best way to do that?  The reason for this is
> to monitor if any of my internal users try to hack somebody outside. 
>
> right now I put "any" on HOME_NET and EXTERNAL_NET
>
>
> thanks.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users