Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How can i stop alerts that come from my own ip range?

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Fri, 07 May 2010 09:42:09 -0500
I think this problem is better solved by writing appropriate sigs.  In order to 
detect traffic, snort has to be in the path of the traffic.  So, if you want to 
see hosts on your network attacking other hosts on your network and you think 
the traffic will be seen by snort, write a sig like this $HOME_NET any -> 
$HOME_NET any.  (Or you could write $HOME_NET any -> !$EXTERNAL_NET any.)  At 
least that way you won't have to deal with false positives from outside your 
network.

I think it makes a great deal of sense to not have overlapping IP ranges in 
those two variables, because it discretely and uniquely defines what each 
variable means, which is less confusing to the analyst when trying to write a 
sig that is useful.  In general, when you write sigs, you have some idea of 
what you're looking for, so you should already understand directionality and 
attack vectors.  Adding in the extra confusion of overlapping IP ranges may 
result in alerts that are confusing or that mask other problems with the way 
the sig was written.

Generally, networks allow, internally, a great deal of traffic and protocols 
that never pass the edge.  So writing useful sigs for that sort of traffic is a 
great deal different than writing sigs for external to internal or internal to 
external traffic.

That's my opinion, and I'm sticking to it.  :-)

--On Thursday, May 06, 2010 11:09:15 -0500 Seth Art <sethsec () gmail com> wrote:


Yea.  I have been defaulting to EXTERNAL_NET = !$HOME_NET for years,
butr over the past few months I have started to think a change might
be in order.

How about everyone else?  Which way are most people leaning these
days?  Aside from the hypothetical, does anyone have any good
experiences where they found something with EXTERNAL_NET set to "any"
that they wouldn't have found otherwise?

-Seth





On Thu, May 6, 2010 at 10:13 AM, Joe Pampel <jpampel () paladyne com> wrote:

since you can have attacks from HOME_NET to HOME_NET I have long thought it
was best practice to leave EXTERNAL_NET as "ANY". it means more tweaking to
deal with specific internal services which trip the system, but isn't it
worth it in the end?

"Swordfish" fantasies aside, your biggest threats are probably not super
hackers getting through the firewalls through some magic;  it's probably a
user hitting a bad web server or a zero-day email attachment exploit.  It's
so much easier to get something in that way and have it spread locally
and/or phone home, etc. (or via sneakernet on someone's USB flash drive...)
 You really need internal visibility or else you just have a hard shell
with a squishy middle.

Just look at the recent Google hack.... a URL in an IM was what they used.
Very effective...

JM2C, YMMV and the usual disclaimers apply.

On May 6, 2010, at 10:48 AM, Paul Schmehl wrote:


If you make EXTERNAL_NET any, it would include your own HOME_NET.
 Depending upon routing or the way a sig is written, you could then get
alerts from HOME_NET to HOME_NET.

I thought the standard convention was

var HOME_NET [your address space]
var EXTERNAL_NET !$HOME_NET

--On Wednesday, May 05, 2010 11:40:10 -0400 Joel Esler
<jesler () sourcefire com> wrote:


Yeah, I wouldn't do a pass rule at all.  Sounds like to me, exactly what
Matt said.  Define your HOME_NET as the network you want to protect.
 EXTERNAL_NET, leave as any.  Go from there.


On Wed, May 5, 2010 at 11:36 AM, Stephen Mullins
<steve.mullins.work () gmail com> wrote:

You could just create 3 pass rules (tcp, udp, icmp) based on your
$HOME_NET variable.

Wouldn't recommend it, though, since traffic from your home net may be
indicative of trojan call backs and so forth.

You want to pass all traffic with a source IP within your $HOME_NET
variable with a destination that you didn't state.  I suppose you want
to pass all home_net to home_net traffic?  Passing all home_net to
!home_net traffic would be a "pretty bad idea."

Steve Mullins


On Wed, May 5, 2010 at 10:42 AM, Pat McNamara <pmcnamara () nic nu> wrote:




Hi all,
what I am trying to do is any alerts that come from my ip range is to have
snort disregard them and not even write them to the MySql database. I
think it must be some how set in the external_Net but I can't seem to
figure it out.
Thanks
Pat

Pat McNamara
IT Systems Administrator
.NU domain, Ltd.
Worldnames, Inc.
+1-508-359-5600 x116
pmcnamara () nic nu









-------------------------------------------------------------------------
--- --

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--------------------------------------------------------------------------
---- _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson


---------------------------------------------------------------------------
--- _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



The information contained in this correspondence is intended solely for the
person or entity entitled to receive the confidential and/or privileged
material that it may contain. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, the information in
this correspondence (including any attachments) by anyone other than the
intended recipient is strictly prohibited. If you believe that you may not
be the intended recipient, please destroy and/or delete this correspondence
and the attachment(s).

----------------------------------------------------------------------------
-- _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: