Snort mailing list archives

Re: Best practices for setting HOME_NET

From: Kevin Ross <kevross33 () googlemail com>
Date: Fri, 11 Jan 2013 18:34:34 +0000

It should be your internal network ranges or specifically the IPs or
subnets you are trying to protect if you want to refine it further and
consider even more to be "external". If you are really unsure you can set
it as RFC 1918 addresses and then set EXTERNAL_NET to be anything not
HOME_NET.

i.e
ipvar HOME_NET [ 10.0.0.0/8,172.16.0.0/12, 192.168.1.0/16 ]
ipvar EXTERNAL_NET !$HOME_NET

It is important to try and get this right so the rules are applied properly.

Hope that helps,
Kevin


On 11 January 2013 04:02, Craig Merchant <cmerchant () responsys com> wrote:

 What are the best practices for setting the HOME_NET variable in an
environment where multiple sensors exist at different sites or
datacenters?  Is it considered best to set it to a network range that
encompasses all of the sites, or generally is it considered best to treat
intra-site traffic as external?****

** **

Thx.****

** **

Craig****


------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Best practices for setting HOME_NET Craig Merchant (Jan 10)
- Re: Best practices for setting HOME_NET Joel Esler (Jan 11)
- Re: Best practices for setting HOME_NET Kevin Ross (Jan 11)
  - Re: Best practices for setting HOME_NET Mike Miller (Jan 11)
    - Re: Best practices for setting HOME_NET Joel Esler (Jan 11)
    - Re: Best practices for setting HOME_NET Mike Miller (Jan 11)
    - Re: Best practices for setting HOME_NET Joel Esler (Jan 11)
    - Re: Best practices for setting HOME_NET waldo kitty (Jan 11)
    - Re: Best practices for setting HOME_NET waldo kitty (Jan 11)
- Re: Best practices for setting HOME_NET Jeremy Hoel (Jan 11)