Snort mailing list archives

Re: Internal Network vs. External Network

From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 12 Sep 2012 16:21:55 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 12/09/2012 16:04, Turnbough, Bradley E. wrote:

I have two networks behind my firewall which have a IDS
requirement.  They are both "Internal" because they're "inside" my
company.

Snort operates on "Internal" and "External" networks.

Should I consider the "internal networks" the ones that require the
IDS, and everything outside of them to be "external networks"?


Yes - a good starting point is generally

ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8]
ipvar EXTERNAL_NET !$HOME_NET

Obviously replacing the RFC1918 addresses with your actual public
address ranges.

There is an argument for

ipvar EXTERNAL_NET any

if your IDS is placed where it might see intra-network traffic - i.e.
traffic from one of your hosts to another typically indicative of
worm-like activity.

However generally the majority of unusual traffic these days seems to
be either heading from your HOME_NET to EXTERNAL_NET - or EXTERNAL_NET
attackers hitting services you may be running on HOME_NET.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQUKiTAAoJELhVoVpEMS6RY5MH/1XKSjE7vmQcT/GpeJRmdH3Z
XRzGSMYg/pkMbmk+fds2/LowBcIuB7ngojMNnBOHawqffVvJYBi1/SO+IhdJzMyo
WJg4dytclwGNaj97FQPbr6HYQKRGQf2Oqj4fkFmfMkoln0t5aNQGI0K5BO6eY2Q5
z4YOFjebz4QXAN6zQu9xW888iS8rcR9g/Bzc50+meQSpnb6xlMYi7Ag5VJ6pCDl/
qQbpanaDHlf+kXsKT7GUGT2idGP1/Q5NoeK8HG/YHvQc9KwI1oR0Pg2nKWp9wvr9
+9OfgP7o1fxb0PDCGxdbZ1xJmeiKkgGMF93cAX0IivkQKuHtN0NeuCbCFH7UEr4=
=69uv
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Internal Network vs. External Network Turnbough, Bradley E. (Sep 12)
- Re: Internal Network vs. External Network Peter Bates (Sep 12)
  - Re: Internal Network vs. External Network Giles Coochey (Sep 12)
- Re: Internal Network vs. External Network Joel Esler (Sep 12)