Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How can i stop alerts that come from my own ip range?

From: Seth Art <sethsec () gmail com>
Date: Thu, 6 May 2010 11:09:15 -0500
Yea.  I have been defaulting to EXTERNAL_NET = !$HOME_NET for years,
butr over the past few months I have started to think a change might
be in order.

How about everyone else?  Which way are most people leaning these
days?  Aside from the hypothetical, does anyone have any good
experiences where they found something with EXTERNAL_NET set to "any"
that they wouldn't have found otherwise?

-Seth





On Thu, May 6, 2010 at 10:13 AM, Joe Pampel <jpampel () paladyne com> wrote:

since you can have attacks from HOME_NET to HOME_NET I have long thought it was best practice to leave EXTERNAL_NET 
as "ANY".
it means more tweaking to deal with specific internal services which trip the system, but isn't it worth it in the 
end?

"Swordfish" fantasies aside, your biggest threats are probably not super hackers getting through the firewalls 
through some magic;  it's probably a user hitting a bad web server or a zero-day email attachment exploit.  It's so 
much easier to get something in that way and have it spread locally and/or phone home, etc. (or via sneakernet on 
someone's USB flash drive...)  You really need internal visibility or else you just have a hard shell with a squishy 
middle.

Just look at the recent Google hack.... a URL in an IM was what they used. Very effective...

JM2C, YMMV and the usual disclaimers apply.

On May 6, 2010, at 10:48 AM, Paul Schmehl wrote:


If you make EXTERNAL_NET any, it would include your own HOME_NET.  Depending
upon routing or the way a sig is written, you could then get alerts from
HOME_NET to HOME_NET.

I thought the standard convention was

var HOME_NET [your address space]
var EXTERNAL_NET !$HOME_NET

--On Wednesday, May 05, 2010 11:40:10 -0400 Joel Esler <jesler () sourcefire com>
wrote:


Yeah, I wouldn't do a pass rule at all.  Sounds like to me, exactly what
Matt said.  Define your HOME_NET as the network you want to protect.
 EXTERNAL_NET, leave as any.  Go from there.


On Wed, May 5, 2010 at 11:36 AM, Stephen Mullins
<steve.mullins.work () gmail com> wrote:

You could just create 3 pass rules (tcp, udp, icmp) based on your
$HOME_NET variable.

Wouldn't recommend it, though, since traffic from your home net may be
indicative of trojan call backs and so forth.

You want to pass all traffic with a source IP within your $HOME_NET
variable with a destination that you didn't state.  I suppose you want
to pass all home_net to home_net traffic?  Passing all home_net to
!home_net traffic would be a "pretty bad idea."

Steve Mullins


On Wed, May 5, 2010 at 10:42 AM, Pat McNamara <pmcnamara () nic nu> wrote:




Hi all,
what I am trying to do is any alerts that come from my ip range is to have
snort disregard them and not even write them to the MySql database. I think
it must be some how set in the external_Net but I can't seem to figure it
out.
Thanks
Pat

Pat McNamara
IT Systems Administrator
.NU domain, Ltd.
Worldnames, Inc.
+1-508-359-5600 x116
pmcnamara () nic nu









----------------------------------------------------------------------------
--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



The information contained in this correspondence is intended solely for the person or entity entitled to receive the 
confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use 
of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by 
anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended 
recipient, please destroy and/or delete this correspondence and the attachment(s).

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: