Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Best practices for setting HOME_NET

From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 12 Jan 2013 02:32:33 -0500
On 1/11/2013 19:05, Joel Esler wrote:

Correct. But if your sensor is sitting in a position to only watch traffic in
and out of the network at the gateway, you wouldn't see that anyway.

It depends on your sensor placement. "any" is a good default if you don't know
what to do.


agreed... to a point... that point being that you may end up chasing your tail 
looking for internal infestations when they are external and possibly already 
blocked and simply being alerted on...


On Jan 11, 2013, at 7:04 PM, Mike Miller <mike () millertwinracing com
<mailto:mike () millertwinracing com>> wrote:


The example we've used is a machine being infected via thumbdrive, or an
infected Laptop being brought inside. Say 10.1.1.200

Home_NET 10.1.1.0/24
EXTERNAL_NET !HOME_NET

would miss an infected machine sweeping the inside for additional candidates.
It also might not catch 'encrypted traffic on a nonstandard port' when it
opens up an outbound connection for C&C.



On Jan 11, 2013, at 4:58 PM, Joel Esler <jesler () sourcefire com
<mailto:jesler () sourcefire com>> wrote:


Depends on your deployment scenario.

If you have a border gateway Snort, then Kevin's suggestion is great. If you
have more of an internal LAN facing Snort, then your suggestion is valid.

Where it really gets fun is when you define HOME_NET and then you define
EXTERNAL_NET as HOME_NET.

J

On Jan 11, 2013, at 6:03 PM, Mike Miller <mike () millertwinracing com
<mailto:mike () millertwinracing com>> wrote:


Not necessarily.

Your IDS won't alert on an internal range attacking another internal range.

I've seen:

ipvar EXTERNAL_NET any

to be more expansive.

On Jan 11, 2013, at 11:34 AM, Kevin Ross <kevross33 () googlemail com
<mailto:kevross33 () googlemail com>> wrote:


It should be your internal network ranges or specifically the IPs or
subnets you are trying to protect if you want to refine it further and
consider even more to be "external". If you are really unsure you can set
it as RFC 1918 addresses and then set EXTERNAL_NET to be anything not HOME_NET.

i.e
ipvar HOME_NET [ 10.0.0.0/8,172.16.0.0/12
<http://10.0.0.0/8,172.16.0.0/12>, 192.168.1.0/16 <http://192.168.1.0/16> ]
ipvar EXTERNAL_NET !$HOME_NET

It is important to try and get this right so the rules are applied properly.

Hope that helps,
Kevin


On 11 January 2013 04:02, Craig Merchant <cmerchant () responsys com
<mailto:cmerchant () responsys com>> wrote:

    What are the best practices for setting the HOME_NET variable in an
    environment where multiple sensors exist at different sites or
    datacenters? Is it considered best to set it to a network range that
    encompasses all of the sites, or generally is it considered best to
    treat intra-site traffic as external?____

    __ __

    Thx.____

    __ __

    Craig____



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: