Re: HOME_NET and EXTERNAL_NET

[Matt Kettler <mkettler () evi-inc com>]

At 05:14 PM 12/1/2004, JAMIE CRAWFORD wrote:
> Thanks for the information everyone. I'll try this out.  Here are the
> most common alerts in a half a second span.
>
> thanks again,
> jamie
>
>
> [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**]
> 12/01-16:05:13.083149 192.168.53.169:4536 -> 207.188.24.156:80
> TCP TTL:126 TOS:0x0 ID:58566 IpLen:20 DgmLen:1114 DF
> ***AP*** Seq: 0x5337F75E  Ack: 0x41F6E98F  Win: 0xFAF0  TcpLen: 20

Those alerts are from the http_inspect preprocessor.. HOME_NET and 
EXTERNAL_NET pertain to rules, but not usualy to preprocessors.

See snort.conf for parameters to http_inspect. If you only care about 
inbound attacks, limit it's list of potential servers just your actual HTTP 
servers.

Right now you probably have:

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

Which means it will monitor all http servers for attacks.

Try removing that (making the default empty) and replacing with a few 
entries like these:

preprocessor http_inspect_server: server 192.168.1.1 \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor http_inspect_server: server 192.168.2.2 \
    profile all ports { 80 8080 8180 } oversize_dir_length 500



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users