Re: Finding rules for internal network

[Matt Kettler <mkettler () evi-inc com>]

At 04:10 PM 2/7/2005, sEc nErD wrote:
> I am trying to work through a snort box on debian configured by some other 
> engineer for the rule sets.
> I have to find why the snort is able to detect outside scans on the 
> network but not able to detect inside scans ,for inside scan scanner used 
> is Super Scan
>
> Could anybody tell me where exactly to look for in the rule set snort.conf?

For rules, most rules in snort look for attacks from "EXTNERAL_NET" to 
"HOME_NET", and ignore attacks not coming from EXTERNAL_NET.

If you want to monitor attacks in general, HOME_NET and EXTERNAL_NET should 
both be set to "any".

Also, you need to be sure that the snort box will even see the traffic in 
question. It's pretty much impossible to monitor all traffic inside an 
entire lan, unless you only use hubs. With switches you can use spanning to 
monitor one or more ports, but it's difficult to capture everything on all 
ports without the switch dropping packets.

Also, be aware that the portscan preprocessors handle things differently, 
and you may need to modify their parameters separately.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users