rules and the EXTERNAL_NET variable

[adam_peterson () splwg com]

I've now defined the EXTERNAL_NET variable as !$HOME_NET, excluding my 
defined internal subnets.  I have 2 sensors running to compare the results 
of also having the EXTERNAL_NET set to 'any' and found that, much to my 
dismay, the vast majority of rules specify EXTERNAL_NET as the source so 
even though I'm getting far less false-positives with the new/test sensor, 
I'm also going to potentially miss a virus-based attack on my LANs.  It 
seems as though certain types of attacks, specifically any attack coming 
from a virus, should not specify the EXTERNAL_NET variable as the source 
because this means that the EXTERNAL_NET varilable MUST be defined as 
'any' or viruses will be missed.  My reasoning is that the Slammer worm, 
for example, has 2 rules:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm 
propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 
81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; 
classtype:misc-attack; reference:bugtraq,5311; 
reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm 
propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 
01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; 
classtype:misc-attack; reference:bugtraq,5311; 
reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2004; rev:1;)

With the EXTERNAL_NET variable NOT set to 'any,' SQL Worm propogation on 
the LAN/WAN will not be caught because there is no rule specifying any 
source unless one assumes that EXTERNAL_NET has been set to 'any.'  Am I 
correct that this type of rule, that is a rule specifically for a virus, 
should ideally be written as:

alert udp any any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation 
attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; 
content:"sock"; content:"send"; reference:bugtraq,5310; 
classtype:misc-attack; reference:bugtraq,5311; 
reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

if you're using EXTERNAL_NET to mean what, again IMHO, should mean?  It's 
the same for Nimda except there isn't an outbound rule for Nimda so more 
could be missed.  It seems it would make more sense this way but maybe my 
configuration is unique?  Or maybe it's just Wednesday afternoon before a 
4-day weekend...

Should I expect to customize my rules to this level of detail if I expect 
to seriously limit the amount of false-positives?  I've always just 
disabled as many rules that cause false-positives as possible but now I'm 
running into rules that I can't in my right mind disable.  Maybe I'm just 
reaching the next step in customization?  I could really use a sanity 
check before going through every rule.

Adam Peterson | Senior WAN Engineer | SPL WorldGroup | 
adam_peterson () splwg com