Snort mailing list archives
Re: Internal Network vs. External Network
From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 12 Sep 2012 16:21:55 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 12/09/2012 16:04, Turnbough, Bradley E. wrote:
I have two networks behind my firewall which have a IDS requirement. They are both "Internal" because they're "inside" my company. Snort operates on "Internal" and "External" networks. Should I consider the "internal networks" the ones that require the IDS, and everything outside of them to be "external networks"?
Yes - a good starting point is generally ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8] ipvar EXTERNAL_NET !$HOME_NET Obviously replacing the RFC1918 addresses with your actual public address ranges. There is an argument for ipvar EXTERNAL_NET any if your IDS is placed where it might see intra-network traffic - i.e. traffic from one of your hosts to another typically indicative of worm-like activity. However generally the majority of unusual traffic these days seems to be either heading from your HOME_NET to EXTERNAL_NET - or EXTERNAL_NET attackers hitting services you may be running on HOME_NET. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQUKiTAAoJELhVoVpEMS6RY5MH/1XKSjE7vmQcT/GpeJRmdH3Z XRzGSMYg/pkMbmk+fds2/LowBcIuB7ngojMNnBOHawqffVvJYBi1/SO+IhdJzMyo WJg4dytclwGNaj97FQPbr6HYQKRGQf2Oqj4fkFmfMkoln0t5aNQGI0K5BO6eY2Q5 z4YOFjebz4QXAN6zQu9xW888iS8rcR9g/Bzc50+meQSpnb6xlMYi7Ag5VJ6pCDl/ qQbpanaDHlf+kXsKT7GUGT2idGP1/Q5NoeK8HG/YHvQc9KwI1oR0Pg2nKWp9wvr9 +9OfgP7o1fxb0PDCGxdbZ1xJmeiKkgGMF93cAX0IivkQKuHtN0NeuCbCFH7UEr4= =69uv -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Internal Network vs. External Network Turnbough, Bradley E. (Sep 12)
- Re: Internal Network vs. External Network Peter Bates (Sep 12)
- Re: Internal Network vs. External Network Giles Coochey (Sep 12)
- Re: Internal Network vs. External Network Joel Esler (Sep 12)
- Re: Internal Network vs. External Network Peter Bates (Sep 12)