Snort mailing list archives
rules and the EXTERNAL_NET variable
From: adam_peterson () splwg com
Date: Wed, 26 Nov 2003 13:47:24 -0800
I've now defined the EXTERNAL_NET variable as !$HOME_NET, excluding my defined internal subnets. I have 2 sensors running to compare the results of also having the EXTERNAL_NET set to 'any' and found that, much to my dismay, the vast majority of rules specify EXTERNAL_NET as the source so even though I'm getting far less false-positives with the new/test sensor, I'm also going to potentially miss a virus-based attack on my LANs. It seems as though certain types of attacks, specifically any attack coming from a virus, should not specify the EXTERNAL_NET variable as the source because this means that the EXTERNAL_NET varilable MUST be defined as 'any' or viruses will be missed. My reasoning is that the Slammer worm, for example, has 2 rules: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2004; rev:1;) With the EXTERNAL_NET variable NOT set to 'any,' SQL Worm propogation on the LAN/WAN will not be caught because there is no rule specifying any source unless one assumes that EXTERNAL_NET has been set to 'any.' Am I correct that this type of rule, that is a rule specifically for a virus, should ideally be written as: alert udp any any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;) if you're using EXTERNAL_NET to mean what, again IMHO, should mean? It's the same for Nimda except there isn't an outbound rule for Nimda so more could be missed. It seems it would make more sense this way but maybe my configuration is unique? Or maybe it's just Wednesday afternoon before a 4-day weekend... Should I expect to customize my rules to this level of detail if I expect to seriously limit the amount of false-positives? I've always just disabled as many rules that cause false-positives as possible but now I'm running into rules that I can't in my right mind disable. Maybe I'm just reaching the next step in customization? I could really use a sanity check before going through every rule. Adam Peterson | Senior WAN Engineer | SPL WorldGroup | adam_peterson () splwg com
Current thread:
- rules and the EXTERNAL_NET variable adam_peterson (Nov 26)
- <Possible follow-ups>
- RE: rules and the EXTERNAL_NET variable Schmehl, Paul L (Nov 26)