Snort mailing list archives
Re: How can i stop alerts that come from my own ip range?
From: Seth Art <sethsec () gmail com>
Date: Thu, 6 May 2010 11:09:15 -0500
Yea. I have been defaulting to EXTERNAL_NET = !$HOME_NET for years, butr over the past few months I have started to think a change might be in order. How about everyone else? Which way are most people leaning these days? Aside from the hypothetical, does anyone have any good experiences where they found something with EXTERNAL_NET set to "any" that they wouldn't have found otherwise? -Seth On Thu, May 6, 2010 at 10:13 AM, Joe Pampel <jpampel () paladyne com> wrote:
since you can have attacks from HOME_NET to HOME_NET I have long thought it was best practice to leave EXTERNAL_NET as "ANY". it means more tweaking to deal with specific internal services which trip the system, but isn't it worth it in the end? "Swordfish" fantasies aside, your biggest threats are probably not super hackers getting through the firewalls through some magic; it's probably a user hitting a bad web server or a zero-day email attachment exploit. It's so much easier to get something in that way and have it spread locally and/or phone home, etc. (or via sneakernet on someone's USB flash drive...) You really need internal visibility or else you just have a hard shell with a squishy middle. Just look at the recent Google hack.... a URL in an IM was what they used. Very effective... JM2C, YMMV and the usual disclaimers apply. On May 6, 2010, at 10:48 AM, Paul Schmehl wrote:If you make EXTERNAL_NET any, it would include your own HOME_NET. Depending upon routing or the way a sig is written, you could then get alerts from HOME_NET to HOME_NET. I thought the standard convention was var HOME_NET [your address space] var EXTERNAL_NET !$HOME_NET --On Wednesday, May 05, 2010 11:40:10 -0400 Joel Esler <jesler () sourcefire com> wrote:Yeah, I wouldn't do a pass rule at all. Sounds like to me, exactly what Matt said. Define your HOME_NET as the network you want to protect. EXTERNAL_NET, leave as any. Go from there. On Wed, May 5, 2010 at 11:36 AM, Stephen Mullins <steve.mullins.work () gmail com> wrote: You could just create 3 pass rules (tcp, udp, icmp) based on your $HOME_NET variable. Wouldn't recommend it, though, since traffic from your home net may be indicative of trojan call backs and so forth. You want to pass all traffic with a source IP within your $HOME_NET variable with a destination that you didn't state. I suppose you want to pass all home_net to home_net traffic? Passing all home_net to !home_net traffic would be a "pretty bad idea." Steve Mullins On Wed, May 5, 2010 at 10:42 AM, Pat McNamara <pmcnamara () nic nu> wrote:Hi all, what I am trying to do is any alerts that come from my ip range is to have snort disregard them and not even write them to the MySql database. I think it must be some how set in the external_Net but I can't seem to figure it out. Thanks Pat Pat McNamara IT Systems Administrator .NU domain, Ltd. Worldnames, Inc. +1-508-359-5600 x116 pmcnamara () nic nu---------------------------------------------------------------------------- -- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersThe information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s). ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How can i stop alerts that come from my own ip range? Pat McNamara (May 05)
- Re: How can i stop alerts that come from my own ip range? Matt Olney (May 05)
- Re: How can i stop alerts that come from my own ip range? Joel Esler (May 05)
- Re: How can i stop alerts that come from my own ip range? Stephen Mullins (May 05)
- Re: How can i stop alerts that come from my own ip range? Joel Esler (May 05)
- Re: How can i stop alerts that come from my own ip range? Pat McNamara (May 05)
- Re: How can i stop alerts that come from my own ip range? Joel Esler (May 05)
- Re: How can i stop alerts that come from my own ip range? Matt Olney (May 05)
- Re: How can i stop alerts that come from my own ip range? Paul Schmehl (May 06)
- Re: How can i stop alerts that come from my own ip range? Joe Pampel (May 06)
- Re: How can i stop alerts that come from my own ip range? Seth Art (May 06)
- Re: How can i stop alerts that come from my own ip range? Paul Schmehl (May 07)
- Re: How can i stop alerts that come from my own ip range? Joel Esler (May 05)
- Re: How can i stop alerts that come from my own ip range? Matt Olney (May 05)