Snort mailing list archives
RE: HOME_NET question
From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Fri, 4 Jun 2004 08:48:41 -0400
Hi Seth, Making the assumption that you are spanning all the DMZ and VLAN traffic to your Snort sensor you should be good. I would also recommend setting your server specific IPs in the HTTP_SERVERS, SMTP_SERVERS, ect options it really helps to reduce the false positives. If you want to get really fancy you can declare your DMZ and VLAN subnets as a new variable and then set HOME_NET as that variable and EXTERNAL_NET as the 'not' of the variable. Then take the new variable you created and use it as the source in sigs that you disable due to too many false positives such as the various worm sigs. This way you will have snort watching your own network for infections and if you see a worm sig (or others) alert you, you know you have a problem and not just noise off the net. An example for you: var DMZ_NET [192.168.1.0/24] var HOME_NET $DMZ_NET var EXTERNAL_NET !DMZ_NET alert DMZ_NET any -> EXTERNAL_NET any (Some worm sig (or other) you modified from the normal snort rules and set in local.rules); Shawn Truax Security Specialist Corporate Security 155 University Ave. Toronto, Ontario M5H 3B7 (416)327-1107 -----Original Message----- From: sart () trialgraphix com [mailto:sart () trialgraphix com] Sent: June 3, 2004 2:53 PM To: snort-users () lists sourceforge net Subject: [Snort-users] HOME_NET question I have only one IDS and it is on the DMZ. For the HOME_NET var do i just put in the subnet of the DMZ or do i put in my VLAN subnets also? Right now i have the DMZ and my 2 vlan subnets in var HOME_NET and i was just wondering if that is correct Lastly, after running snort on the default rule set with 2.1.2 for a couple of weeks i finally used oinkmaster to get and use the latest stable rules. Now in the past 3 hours i have only gotten 3 alerts besides my self tests and they are all the robot.txt alert from the search engines. Is this normal for a sensor on a DMZ with a non MS webserver, email server, and ftp server? Was i just used to getting all those false positives from the default ruleset? It seems so quiet now. Thank guys, Seth Art ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: HOME_NET question Truax, Shawn (MBS) (Jun 04)