Snort mailing list archives
Re: HOME_NET and EXTERNAL_NET question
From: John Sage <jsage () finchhaven com>
Date: Sat, 9 Feb 2002 07:58:13 -0800
Kresna: I would say that you want to set your $HOME_NET and $EXTERNAL_NET correctly for your network topology, and accomplish what you're *really* trying to do with rules, maybe in local.rules. There, establish rules that look at traffic outbound, thus: alert tcp $HOME_NET -> $EXTERNAL_NET 10101 (msg:"SCAN myscan"; \ ttl: >220; ack: 0; flags: S;reference:arachnids,439; \ classtype:attempted-recon; sid:613; rev:1;) Note that this is only an example, but that the source and destinations are flipped from the original rule in scan.rules. HTH.. - John -- Most people don't type their own logfiles; but, what do I care? On Fri, Feb 08, 2002 at 03:45:10PM -0800, Kresna Prawira wrote:
If I want to monitor traffic originated both from inside network and external network, what is the best way to do that? The reason for this is to monitor if any of my internal users try to hack somebody outside. right now I put "any" on HOME_NET and EXTERNAL_NET thanks.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HOME_NET and EXTERNAL_NET question Kresna Prawira (Feb 08)
- Re: HOME_NET and EXTERNAL_NET question John Sage (Feb 09)