Re: EXTERNAL_NET: any vs !$HOME_NET

[Jason Brvenik <jasonb () sourcefire com>]

Hari Sekhon wrote:
> I've currently got "var EXTERNAL_NET any" in my snort.conf and was
> considering making it "var EXTERNAL_NET !$HOME" instead, but looking
> at the rules files, it seems that most rules will immediately
> disregard any suspicious traffic from your HOME_NET in this case,
> which basically blinds you to any internal threats.

Correct. A proper deployment will have systems monitoring external
threats and a different system monitoring internal threats. You could
also run multiple instances of Snort on the same machine with different
interfaces and configurations. This is a less preferred method but often
makes budget happier. You should be aware that bridging an external and
internal network with _any_ device regardless of purpose has a certain
amount of risk involved.

> I am also running snort on several servers that are not publicly
> accessible (ie port forwards) but want to be able to see malicious or
> suspicious traffic from all networks.
>
> The current problem with the EXTERNAL_NET any is that a lot of rules
> are throwing up too many false positives and it's very difficult to go
> around writing pass rules for every other packet that goes through the
> network interface (I exaggerate slightly)

You are asking too much of one system and configuration. If you needs
are more complex and detailed, you should move to a more complex and
detailed configuration.

> It's seems a very difficult juggling act to on the one hand stop false
> positives and
> on the other to not totally negate the worth of the ids by making it too loose.

It is until you split the functions up into more manageable chunks.

> For example I have stacks of "MS Terminal server request RDP" alerts
> coming from machines on my home net. I can see how changing the
> EXTERNAL_NET would be a good idea to stop these unless they come from
> outside the network, but considering that this also stops most rules
> from matching if somebody attacks from a machine within the building
> or any remote site connected via vpn (which are included in HOME_NET
> and therefore excluded from EXTERNAL_NET)
>
> Anybody got any advise on this?

Create external, internal, VPN, and B2B segments and then monitor each
appropriately. Each zone has a different threat perspective and should
be monitored with different rules and configurations.

> --
> Hari Sekhon
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users