Snort mailing list archives
Re: snort.conf
From: James Riden <j.riden () massey ac nz>
Date: Wed, 21 Apr 2004 21:00:26 +1200
"AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk> writes:
--On 20 April 2004 19:18 -0400 Matt Kettler <mkettler () evi-inc com> wrote:In general, EXTERNAL_NET should be set to whatever IP addresses you want to monitor as potential sources of attack. "any" is a good starting point, but !HOME_NET also has it's merits in that you save CPU time by not checking packets generated by your own network as a source of attack. However, what you want/need to monitor is very dependent on what kind of network you run. For example, if you worked for a university, it might well be that you would reverse the typical meanings of HOME and EXTERNAL and monitor for attacks coming from your computer labs and being launched into the rest of the world....or even monitor from any to any. :-) IMHO, just like outbound (aka egress) filtering, this is good practice and shouldn't just be done by universities.
A lot of my signatures, especially for viruses/worms look for stuff originating from inside and heading anywhere. Frankly, I expect there to be viruses outside, so that's not news. If it's coming from inside, panic time. It comes naturally after a bit of tweaking - except with flexresp I'm very careful not to send RSTs/port unreachables to external addresses. -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort.conf Chuck Holley (Apr 20)
- Re: snort.conf Matt Kettler (Apr 20)
- Re: snort.conf AJ Butcher, Information Systems and Computing (Apr 21)
- Re: snort.conf James Riden (Apr 21)
- Re: snort.conf AJ Butcher, Information Systems and Computing (Apr 21)
- Re: snort.conf Matt Kettler (Apr 20)