Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: HOME_NET question

From: "Truax, Shawn (MBS)" <Shawn.Truax () mbs gov on ca>
Date: Fri, 4 Jun 2004 08:48:41 -0400
Hi Seth,

        Making the assumption that you are spanning all the DMZ and VLAN
traffic to your Snort sensor you should be good.  I would also recommend
setting your server specific IPs in the HTTP_SERVERS, SMTP_SERVERS, ect
options it really helps to reduce the false positives.

        If you want to get really fancy you can declare your DMZ and VLAN
subnets as a new variable and then set HOME_NET as that variable and
EXTERNAL_NET as the 'not' of the variable.  Then take the new variable you
created and use it as the source in sigs that you disable due to too many
false positives such as the various worm sigs.  This way you will have snort
watching your own network for infections and if you see a worm sig (or
others) alert you, you know you have a problem and not just noise off the
net.


An example for you:

var DMZ_NET [192.168.1.0/24]
var HOME_NET $DMZ_NET
var EXTERNAL_NET !DMZ_NET

alert DMZ_NET any -> EXTERNAL_NET any (Some worm sig (or other) you modified
from the normal snort rules and set in local.rules);

Shawn Truax
Security Specialist
Corporate Security
155 University Ave.
Toronto, Ontario
M5H 3B7
(416)327-1107



-----Original Message-----
From: sart () trialgraphix com [mailto:sart () trialgraphix com]
Sent: June 3, 2004 2:53 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] HOME_NET question


I have only one IDS and it is on the DMZ. 
For the HOME_NET var do i just put in the subnet of the DMZ or do i put in 
my VLAN subnets also?
Right now i have the DMZ and my 2 vlan subnets in var HOME_NET and i was 
just wondering if that is correct 

Lastly, after running snort on the default rule set with 2.1.2 for a 
couple of weeks i finally used oinkmaster to get and use the latest stable 
rules.   Now in the past 3 hours i have only gotten 3 alerts besides my 
self tests and they are all the robot.txt alert from the search engines. 
Is this normal for a sensor on a DMZ with a non MS webserver, email 
server, and ftp server?   Was i just used to getting all those false 
positives from the default ruleset?  It seems so quiet now. 

Thank guys, 

Seth Art



-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.

From Windows to Linux, servers to mobile, InstallShield X is the one

installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: