Snort mailing list archives
Re: External Subnets
From: adam_peterson () splwg com
Date: Tue, 25 Nov 2003 18:14:45 -0800
I can't believe that the "!" I chose as an example does what I asked. That's hilarious. Thanks for the help and to address the issue you bring up, I plan to setup a 2nd sensor like this and run it in parallel with my existing sensor so I can see which alerts I'm missing. I currently receive far too many alerts for behaviors that would only be harmful if they were sent from outside my networks so instead of excluding those rules as I've done in the past, I'd like to see how they behave with the external_net variable "properly" defined. Adam Peterson | Senior WAN Engineer | SPL WorldGroup | adam_peterson () splwg com | +1.415.357.4787 Erwin Van de Velde To: adam_peterson () splwg com, snort-users () lists sourceforge net <erwin.vandevelde cc: @ua.ac.be> Subject: Re: [Snort-users] External Subnets 11/26/2003 02:27 AM CET I haven't tried it yet, and while it's 2:30 AM here in Belgium it will have to wait till tomorrow :-) But I think yes, and if not, why don't you say then var NETWORK = 192.168.0.0/24 var EXTERNAL_NET = !$NETWORK for example? Although I don't think it's such a good idea to take anything else than 'any' for the $EXTERNAL_NET, as many attack rules are based on the fact that the attacker is on the external net. By setting this to something like !$NETWORK, every employee in your firm on $NETWORK can attack any host on your network unnoticed, which cannot be what you meant it to be I think... Any ideas on this? Greetz, Erwin Van de Velde Student of the Antwerp University, Belgium On Wednesday 26 November 2003 01:10, adam_peterson () splwg com wrote:
Is it possible to specify a negative variable value for a variable? Meaning: var EXTERNAL_NET !HOME_NET The bang is just an idea of something that would negate the value so that my external_net variable would be any ip/subnet that isn't part of the home_net variable. Is there anything in place to allow for this? Could there be? Since so many of the rules are based on the external_net variable, it's very frustrating that it must be set to ANY for my configurations because I can't specifiy every subnet on the Internet...or can I? Any help/advice is greatly appreciated. Adam Peterson | Senior WAN Engineer | SPL WorldGroup | adam_peterson () splwg com
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- External Subnets adam_peterson (Nov 25)
- Message not available
- Re: External Subnets Matt Kettler (Nov 25)
- Message not available
- Re: External Subnets Erwin Van de Velde (Nov 25)
- <Possible follow-ups>
- Re: External Subnets adam_peterson (Nov 25)