[Snort-sigs] ftp rules question - why only external to internal?

Brian bmc at ...95...
Fri Apr 25 09:56:08 EDT 2003

On Fri, Apr 25, 2003 at 09:35:29AM -0500, Jerry.L.Rose at ...1475... wrote:
> I see there are several "bad" sections in the ftp rules ("bad files" section
> shown below). My question is why limit these to External network to and from
> internal network? Wouldn't it be better to change them to any network to any
> network? For example, if an internal user (located on the HOME_NET)
> attempted to download a "bad" file from any ftp server I'd like to know
> about it. What am I missing here?

This is a user specific configuration.  Again, like most of the rules,
you probably want to run setting EXTERNAL_NET and HOME_NET to any.

Thats a policy thing.  You decide how you want to run it.  We keep the
rules so its easy to tune one way or the other rapidly.


More information about the Snort-sigs mailing list