Re: newbie question about $HOME_NET

[Joel Esler <jesler () sourcefire com>]

You could leave HOME_NET and EXTERNAL_NET as "any" to detect traffic in both
directions regardless of signature.  But you will wind up with a LOT of
alerts.
J

On Mon, Oct 5, 2009 at 12:02 PM, Daniel Qian <daniel.qian () supracanada com>wrote:

>  Perhaps I did not make it clear. What I really want to detect is for
> those traffic between my network and the Internet,  and in both direction
>
> A lot of times when a host is compromised it will be made to attach other
> people on the Internet and I want to detect this kind of activities as well.
> For traffic between my own hosts I am thinking to set up another snort box
> tapping on the inside VLAN protected by my Cisco ASA firewall. The Cisco ASA
> currently has an IPS module to protect that VLAN from outside.
>
> Thanks,
> Daniel
>
>
> ----- Original Message -----
> *From:* JJ Cummings <cummingsj () gmail com>
> *To:* Daniel Qian <daniel.qian () supracanada com>
> *Cc:* snort-users () lists sourceforge net
> *Sent:* Monday, October 05, 2009 10:33 AM
> *Subject:* Re: [Snort-users] newbie question about $HOME_NET
>
> In that case, you still want your $HOME_NET variable set to your network
> block that you are "protecting".  But you should set your $EXTERNAL_NET to
> any.. this will let you see internal attacks against internal hosts (of
> course this assumes that you have your SPAN session / TAP setup to see this
> internal traffic).
>
> On Mon, Oct 5, 2009 at 8:11 AM, Daniel Qian <daniel.qian () supracanada com>wrote:
>
> > I am implementing Snort on our hosting network at the point where our two
> > IPS links are connected - all traffic flowing on the two VLANs for ISPs
> > are
> > SPANed to the snort sniffing port.
> >
> > Some documents recommend setting $HOME_NET to my network block and a lot
> > of
> > detection rules actually have reference to this variable. The question is,
> > if I want to detect bad traffic originating from a compromised host on my
> > network should this variable be set to the default ANY? or is it common
> > and
> > proper way in this situation?
> >
> > Thanks in advance
> > Daniel
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> > is the only developer event you need to attend this year. Jumpstart your
> > developing skills, take BlackBerry mobile applications to market and stay
> > ahead of the curve. Join us from November 9&#45;12, 2009. Register
> > now&#33;
> > http://p.sf.net/sfu/devconf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users