Re: home_net as source?

[Jeremy Hoel <jthoel () gmail com>]

In my experience, I fine the portscan processor is, well, finicky.  When we
have it on, we get alerts for clients talking to Windows Domain Controllers
and file servers. So it's value for client to server on the inside is hard
to verify/tune/tweak.


On Fri, Mar 7, 2014 at 3:29 PM, Michael Wisniewski <wiz561 () gmail com> wrote:

> I have a question about some of the results I'm seeing.  The majority of
> results are having the traffic go as expected with external/outside IP's
> alerting on my home_net address.  Some alerts have my home_net as the
> source and outside IP's as the destination.  This is most prevalent in port
> scanning.
>
> I'm about 99% positive that I'm not starting the portscan from
> inside...but for some reason, snort thinks I am.
>
> I'm just wondering what the cause of this is.  To me, it seems kind of
> backwards, but I know that depending on where the sensor is, it might make
> a difference.  My setup is that I mirrored the port the cable modem is
> plugged into and then that goes into the firewall...  So...
>
> Cable Modem -> Switch Port 1
> Firewall/Router -> Port 2
> Snort sensor -> Port 5
>
> Mirrored port 1.
>
> Any help is appreciated.
>
> Thanks!
>
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to
> Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works.
> Faster operations. Version large binaries.  Built-in WAN optimization and
> the
> freedom to use Git, Perforce or both. Make the move to Perforce.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!