Re: exclude home_net from external_net

[Gary Flynn <flynngn () jmu edu>]

pilsl () goldfisch at wrote:
> Now I got myriads of alerts when internal clients connect to our squid
> server. Of course this is not what I want (alerts are only userful on
> external connects),
<snip>

I'd strongly disagree with this. It depends a lot on the
signature. A signature that tells me external systems are
performing code red/nimda scans is useless. On the other
hand, one that tells me internal systems are performing
those scans are very useful indeed.

Accurate signatures that are tripped from the outside, often
indicate only an attempt or scan. Accurate signatures tripped
from the inside, often indicate a compromised box or 
inappropriate behavior.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe


-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users