Snort mailing list archives
Re: snort.conf
From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Wed, 21 Apr 2004 08:38:11 +0100
--On 20 April 2004 19:18 -0400 Matt Kettler <mkettler () evi-inc com> wrote:
At 03:05 PM 4/20/2004, Chuck Holley wrote:
[snip]
What does the external_net mean?? I guess I am looking for a sample conf with explanations of my options and what they mean. I am brand new to IDS, excuse my ignorance.EXTERNAL_NET is just a variable used by many rules in the ruleset. Most of the default ruleset looks for attacks which come from an IP address in EXTERNAL_NET and go to HOME_NET. Others look for exploit responses going the other way. In general, EXTERNAL_NET should be set to whatever IP addresses you want to monitor as potential sources of attack. "any" is a good starting point, but !HOME_NET also has it's merits in that you save CPU time by not checking packets generated by your own network as a source of attack. However, what you want/need to monitor is very dependent on what kind of network you run. For example, if you worked for a university, it might well be that you would reverse the typical meanings of HOME and EXTERNAL and monitor for attacks coming from your computer labs and being launched into the rest of the world.
...or even monitor from any to any. :-)IMHO, just like outbound (aka egress) filtering, this is good practice and shouldn't just be done by universities.
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort.conf Chuck Holley (Apr 20)
- Re: snort.conf Matt Kettler (Apr 20)
- Re: snort.conf AJ Butcher, Information Systems and Computing (Apr 21)
- Re: snort.conf James Riden (Apr 21)
- Re: snort.conf AJ Butcher, Information Systems and Computing (Apr 21)
- Re: snort.conf Matt Kettler (Apr 20)