Re: home_net as source?

["Turnbough, Bradley E." <bturnbough () belcan com>]

I have to agree with Jeremy.  It's finicky at best and downright useless at worst.

Couple that with the separate logging mechanism and you've got yourself a poorly implemented solution to a growing 
problem.


________________________________
From: Jeremy Hoel [jthoel () gmail com]
Sent: Friday, March 07, 2014 11:56 AM
To: Michael Wisniewski
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] home_net as source?

In my experience, I fine the portscan processor is, well, finicky.  When we have it on, we get alerts for clients 
talking to Windows Domain Controllers and file servers. So it's value for client to server on the inside is hard to 
verify/tune/tweak.


On Fri, Mar 7, 2014 at 3:29 PM, Michael Wisniewski <wiz561 () gmail com<mailto:wiz561 () gmail com>> wrote:
I have a question about some of the results I'm seeing.  The majority of results are having the traffic go as expected 
with external/outside IP's alerting on my home_net address.  Some alerts have my home_net as the source and outside 
IP's as the destination.  This is most prevalent in port scanning.

I'm about 99% positive that I'm not starting the portscan from inside...but for some reason, snort thinks I am.

I'm just wondering what the cause of this is.  To me, it seems kind of backwards, but I know that depending on where 
the sensor is, it might make a difference.  My setup is that I mirrored the port the cable modem is plugged into and 
then that goes into the firewall...  So...

Cable Modem -> Switch Port 1
Firewall/Router -> Port 2
Snort sensor -> Port 5

Mirrored port 1.

Any help is appreciated.

Thanks!

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

_____________________________________________________________ This e-mail transmission contains information that is 
confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in 
error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, 
copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately 
by informing the sender that the message was misdirected. After replying, please erase it from your computer system. 
Your assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!