Home page logo
/

snort logo Snort mailing list archives

Re: Doubt about configuration HOME, EXTERNAL.
From: Agus <agus.262 () gmail com>
Date: Sun, 9 Jun 2013 19:41:58 -0300

Thanks Shane for your time! Will try to do some pcaps..


2013/6/6 Morris, Shane (US SSA) <shane.morris () baesystems com>

 Agus,****

** **

When you’re watching traffic leaving your network you’re looking for
things like users going to infected sites, CNC, bad domains/IPs, data
exfil, etc It’s just as important as watching the noise banging off your
web servers.****

** **

If your net is just the /24 than I think your variables are correct. The
rules would header would be HOME_NET -> EXTERNAL_NET. Also Snort default
HTTP_PORTS variable includes proxy ports so you can catch your users going
to the net through a proxy port.****

** **

The best thing to do is run some dumps on your listening port/s and
analyze the traffic along with some accurate net diags.****

** **

** **

** **

** **

*From:* Agus [mailto:agus.262 () gmail com]
*Sent:* Wednesday, June 05, 2013 9:54 AM
*To:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Doubt about configuration HOME, EXTERNAL.****

** **

Any link, tip is appreciated.****

** **

Thanks****

** **

2013/6/4 Agus <agus.262 () gmail com>****

Hi guys,****

** **

I have a subnet that connects to a client Network. They asked me to
implement an IDS. Si i built snort/snorby/PP****

** **

This is an unusual, at least for me, place as i am supposed to monitor the
traffic going away from my net to the other, instead of what it is more
common that i monitor incoming traffic to my severs.****

** **

So my doubt is how should i configure the Network variables.****

** **

My net = 10.11.0.0/24 - HOME_NET****

Client = !HOME_NET - EXTERNAL_NET****

** **

That is the approach i took. the same as if the servers were on my net;
but that aint the case as i have the clients/users on my NET, and all
services(web, proxy, inet) are on their side. I was thinking on swapping
the values.****

** **

Thanks for any tip you can provide!****

Cheers****

** **

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault