Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Best External_Net setting

From: Erek Adams <erek () snort org>
Date: Thu, 22 May 2003 10:35:16 -0400 (EDT)
On Thu, 22 May 2003, Stephen W. Thomas wrote:


I'm trying to find out what the pros and cons are to setting the
external_net variable to "!$home_net" instead of "any" on a client's
network.

The network is currently configured where the internet feeds a router
which feeds a firewall which feeds a Windows2k network. The network
consists of Web servers, DNS servers, Exchange servers, and file
servers. These are all on the same domain. Snort is monitoring that
domain. My boss is trying to get rid of all of the false hits it's
taking from inter-server traffic, so I thought that changing the
External_Net variable to "!$Home_Net" would do it. However, I'm afarid
if someone broke through the firewall, or spoofed an internal IP then we
wouldn't get any hits on it.

 Does anyone have any thoughts on External_Net being defined as "any" or
"!$Home_Net"?


These are only my opinions...  With using 'any' you have the widest
coverage possible.  Snort would examine each and every packet to see if
there was a rule match.  There's also the huge increase in false positives
that you have to contend with.

By swaping over to use !$HOME_NET you limit the amount of data, which does
a few things:  Makes Snort faster, Cut down on False Postives and reduce
memory useage.  With fewer checks to make (all IP's vs all IP's minus
some), Snort will process packets more quickly.  This may only be an issue
if you are on at a high utilization site.

If you're worried about missing things, then add a few rules that catch
'wierd stuff'.  Something like:

        alert ip $WEB_SERVERS any -> $EXTERNAL_NET any (msg:"Outgoing
        SYN from the webserver!"; flags:S;)

Since nothing in WEB_SERVERS should initiate an outgoing connection.  You
can massage that to work for other servers as needed.  For some more
examples check the archives under 'anomaly detection' [0].  There's been
some discussion about how to use standard Snort rules to detect 'wierd
things'.

Is there a perfect setting?  Nope.  Is there one that might work for you?
Yep.  :)

Hope that helps!

-----
Erek Adams
   "When things get weird, the weird turn pro."   H.S. Thompson


[0] http://marc.theaimsgroup.com/?l=snort-users&w=2&r=1&s=anomaly+detection&q=b
    http://marc.theaimsgroup.com/?t=104504313900002&r=1&w=2
    http://marc.theaimsgroup.com/?l=snort-users&m=104547413832200&w=2


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: