Snort mailing list archives
RE: Snort rules
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 08 Feb 2005 19:59:51 -0500
At 03:16 PM 2/8/2005, sEc nErD wrote:
Really, this is a confusion on your part, but one you've been led to by the choice of wording for "EXTERNAL_NET" and "HOME_NET". Don't take those names too litteraly.port scans like $external any-->$Home NetworkNow the client is questioning us as to why this should not be checked both ways..he is saying if it is somebody in their network doing a port scan it will go unnoticed.can anybody answer this?
EXTERNAL_NET should be set to all the hosts that you do not trust. For most networks, this is everything except HOME_NET, but for some networks this is the world.
HOME_NET should be set to all the hosts you want to monitor as a target of attacks. For most networks, this is everything inside, but for some networks, this is the whole world.
Choose EXTERNAL_NET and HOME_NET settings accordingly. Sounds like your client wants EXTERNAL_NET set to "any" and HOME_NET set to their network IPs.
However, even setting EXTERNAL_NET to any will not likely wind up detecting scans running inside a LAN, because the LAN network is switched. Because of the switching snort will not see the packets at all, as they are not even going to arrive at the snort box in the first place.
Monitoring the inside of a lan is tricky, and it's impossible to monitor ALL the traffic inside a lan. Your best bet is using port mirroring on some of your critical trunk ports at the core of the network, or near the server farm.
If this is lost on you, read up on how ethernet switching works. Read in DETAIL. It's very critical you understand the concepts behind switching before even considering trying to set up an in-lan snort sensor. In fact, you really should understand how switching works at a basic level before setting up ANY snort sensor at all. It's very easy to do something like plug snort into a switch port and wonder why it detects nothing until you enable port mirroring.
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort rules Hugo (Feb 08)
- RE: Snort rules sEc nErD (Feb 08)
- RE: Snort rules Matt Kettler (Feb 08)
- mysql not logging alerts sEc nErD (Feb 08)
- Re: mysql not logging alerts James Riden (Feb 08)
- RE: Snort rules Matt Kettler (Feb 08)
- RE: Snort rules sEc nErD (Feb 08)
- <Possible follow-ups>
- RE: Snort rules Chris Vaughan (Feb 08)