Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: newbie question about $HOME_NET

From: "Daniel Qian" <daniel.qian () supracanada com>
Date: Mon, 5 Oct 2009 15:32:39 -0400
The place where I put the snort for sniffing is the enter points for the two ISPs - the spot between my network block 
and the Internet. As far as I understand it, all traffic the snort box will see will be either coming from Internet to 
my block or the other around and these traffic are exactly what I want to watch for.  So I am wondering what extra 
alerts I will get in additional to the ones I know I want.

Thanks for reply,
Daniel

  ----- Original Message ----- 
  From: Joel Esler 
  To: Daniel Qian 
  Cc: JJ Cummings ; snort-users () lists sourceforge net 
  Sent: Monday, October 05, 2009 2:43 PM
  Subject: Re: [Snort-users] newbie question about $HOME_NET


  You could leave HOME_NET and EXTERNAL_NET as "any" to detect traffic in both directions regardless of signature.  But 
you will wind up with a LOT of alerts.


  J


  On Mon, Oct 5, 2009 at 12:02 PM, Daniel Qian <daniel.qian () supracanada com> wrote:

    Perhaps I did not make it clear. What I really want to detect is for those traffic between my network and the 
Internet,  and in both direction

    A lot of times when a host is compromised it will be made to attach other people on the Internet and I want to 
detect this kind of activities as well. For traffic between my own hosts I am thinking to set up another snort box 
tapping on the inside VLAN protected by my Cisco ASA firewall. The Cisco ASA currently has an IPS module to protect 
that VLAN from outside.

    Thanks,
    Daniel

      ----- Original Message ----- 
      From: JJ Cummings 
      To: Daniel Qian 
      Cc: snort-users () lists sourceforge net 
      Sent: Monday, October 05, 2009 10:33 AM
      Subject: Re: [Snort-users] newbie question about $HOME_NET


      In that case, you still want your $HOME_NET variable set to your network block that you are "protecting".  But 
you should set your $EXTERNAL_NET to any.. this will let you see internal attacks against internal hosts (of course 
this assumes that you have your SPAN session / TAP setup to see this internal traffic).


      On Mon, Oct 5, 2009 at 8:11 AM, Daniel Qian <daniel.qian () supracanada com> wrote:

        I am implementing Snort on our hosting network at the point where our two
        IPS links are connected - all traffic flowing on the two VLANs for ISPs are
        SPANed to the snort sniffing port.

        Some documents recommend setting $HOME_NET to my network block and a lot of
        detection rules actually have reference to this variable. The question is,
        if I want to detect bad traffic originating from a compromised host on my
        network should this variable be set to the default ANY? or is it common and
        proper way in this situation?

        Thanks in advance
        Daniel


        ------------------------------------------------------------------------------
        Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
        is the only developer event you need to attend this year. Jumpstart your
        developing skills, take BlackBerry mobile applications to market and stay
        ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
        http://p.sf.net/sfu/devconf
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://www.geocrawler.com/redir-sf.php3?list=snort-users






    ------------------------------------------------------------------------------
    Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
    is the only developer event you need to attend this year. Jumpstart your
    developing skills, take BlackBerry mobile applications to market and stay
    ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
    http://p.sf.net/sfu/devconf
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: