Snort mailing list archives
Re: HOME_NET and EXTERNAL_NET
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 01 Dec 2004 18:16:04 -0500
At 05:14 PM 12/1/2004, JAMIE CRAWFORD wrote:
Thanks for the information everyone. I'll try this out. Here are the most common alerts in a half a second span. thanks again, jamie [**] [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER [**] 12/01-16:05:13.083149 192.168.53.169:4536 -> 207.188.24.156:80 TCP TTL:126 TOS:0x0 ID:58566 IpLen:20 DgmLen:1114 DF ***AP*** Seq: 0x5337F75E Ack: 0x41F6E98F Win: 0xFAF0 TcpLen: 20
Those alerts are from the http_inspect preprocessor.. HOME_NET and EXTERNAL_NET pertain to rules, but not usualy to preprocessors.
See snort.conf for parameters to http_inspect. If you only care about inbound attacks, limit it's list of potential servers just your actual HTTP servers.
Right now you probably have: preprocessor http_inspect_server: server default \ profile all ports { 80 8080 8180 } oversize_dir_length 500 Which means it will monitor all http servers for attacks.Try removing that (making the default empty) and replacing with a few entries like these:
preprocessor http_inspect_server: server 192.168.1.1 \ profile all ports { 80 8080 8180 } oversize_dir_length 500 preprocessor http_inspect_server: server 192.168.2.2 \ profile all ports { 80 8080 8180 } oversize_dir_length 500 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- RE: HOME_NET and EXTERNAL_NET M. Shirk (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- Re: HOME_NET and EXTERNAL_NET M. Shirk (Dec 02)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- <Possible follow-ups>
- RE: HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Tim Slighter (Dec 01)
- RE: HOME_NET and EXTERNAL_NET Paul Schmehl (Dec 01)
- Re: HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 01)
- Re: HOME_NET and EXTERNAL_NET Matt Kettler (Dec 01)
- RE: HOME_NET and EXTERNAL_NET Joe Patterson (Dec 01)
- HOME_NET and EXTERNAL_NET JAMIE CRAWFORD (Dec 02)
- RE: HOME_NET and EXTERNAL_NET M. Shirk (Dec 01)