Snort mailing list archives
Re: exclude home_net from external_net
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 24 Oct 2002 10:15:11 -0400
pilsl () goldfisch at wrote:
Now I got myriads of alerts when internal clients connect to our squid server. Of course this is not what I want (alerts are only userful on external connects),
<snip> I'd strongly disagree with this. It depends a lot on the signature. A signature that tells me external systems are performing code red/nimda scans is useless. On the other hand, one that tells me internal systems are performing those scans are very useful indeed. Accurate signatures that are tripped from the outside, often indicate only an attempt or scan. Accurate signatures tripped from the inside, often indicate a compromised box or inappropriate behavior. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- exclude home_net from external_net pilsl (Oct 24)
- Re: exclude home_net from external_net Alberto Gonzalez (Oct 24)
- Re: exclude home_net from external_net Gary Flynn (Oct 24)