Snort mailing list archives
Re: Best practices for setting HOME_NET
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 12 Jan 2013 02:32:33 -0500
On 1/11/2013 19:05, Joel Esler wrote:
Correct. But if your sensor is sitting in a position to only watch traffic in and out of the network at the gateway, you wouldn't see that anyway. It depends on your sensor placement. "any" is a good default if you don't know what to do.
agreed... to a point... that point being that you may end up chasing your tail looking for internal infestations when they are external and possibly already blocked and simply being alerted on...
On Jan 11, 2013, at 7:04 PM, Mike Miller <mike () millertwinracing com <mailto:mike () millertwinracing com>> wrote:The example we've used is a machine being infected via thumbdrive, or an infected Laptop being brought inside. Say 10.1.1.200 Home_NET 10.1.1.0/24 EXTERNAL_NET !HOME_NET would miss an infected machine sweeping the inside for additional candidates. It also might not catch 'encrypted traffic on a nonstandard port' when it opens up an outbound connection for C&C. On Jan 11, 2013, at 4:58 PM, Joel Esler <jesler () sourcefire com <mailto:jesler () sourcefire com>> wrote:Depends on your deployment scenario. If you have a border gateway Snort, then Kevin's suggestion is great. If you have more of an internal LAN facing Snort, then your suggestion is valid. Where it really gets fun is when you define HOME_NET and then you define EXTERNAL_NET as HOME_NET. J On Jan 11, 2013, at 6:03 PM, Mike Miller <mike () millertwinracing com <mailto:mike () millertwinracing com>> wrote:Not necessarily. Your IDS won't alert on an internal range attacking another internal range. I've seen: ipvar EXTERNAL_NET any to be more expansive. On Jan 11, 2013, at 11:34 AM, Kevin Ross <kevross33 () googlemail com <mailto:kevross33 () googlemail com>> wrote:It should be your internal network ranges or specifically the IPs or subnets you are trying to protect if you want to refine it further and consider even more to be "external". If you are really unsure you can set it as RFC 1918 addresses and then set EXTERNAL_NET to be anything not HOME_NET. i.e ipvar HOME_NET [ 10.0.0.0/8,172.16.0.0/12 <http://10.0.0.0/8,172.16.0.0/12>, 192.168.1.0/16 <http://192.168.1.0/16> ] ipvar EXTERNAL_NET !$HOME_NET It is important to try and get this right so the rules are applied properly. Hope that helps, Kevin On 11 January 2013 04:02, Craig Merchant <cmerchant () responsys com <mailto:cmerchant () responsys com>> wrote: What are the best practices for setting the HOME_NET variable in an environment where multiple sensors exist at different sites or datacenters? Is it considered best to set it to a network range that encompasses all of the sites, or generally is it considered best to treat intra-site traffic as external?____ __ __ Thx.____ __ __ Craig____
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Best practices for setting HOME_NET Craig Merchant (Jan 10)
- Re: Best practices for setting HOME_NET Joel Esler (Jan 11)
- Re: Best practices for setting HOME_NET Kevin Ross (Jan 11)
- Re: Best practices for setting HOME_NET Mike Miller (Jan 11)
- Re: Best practices for setting HOME_NET Joel Esler (Jan 11)
- Re: Best practices for setting HOME_NET Mike Miller (Jan 11)
- Re: Best practices for setting HOME_NET Joel Esler (Jan 11)
- Re: Best practices for setting HOME_NET waldo kitty (Jan 11)
- Re: Best practices for setting HOME_NET waldo kitty (Jan 11)
- Re: Best practices for setting HOME_NET Mike Miller (Jan 11)