[Snort-sigs] ftp rules question - why only external to internal?
bmc at ...95...
Fri Apr 25 09:56:08 EDT 2003
On Fri, Apr 25, 2003 at 09:35:29AM -0500, Jerry.L.Rose at ...1475... wrote:
> I see there are several "bad" sections in the ftp rules ("bad files" section
> shown below). My question is why limit these to External network to and from
> internal network? Wouldn't it be better to change them to any network to any
> network? For example, if an internal user (located on the HOME_NET)
> attempted to download a "bad" file from any ftp server I'd like to know
> about it. What am I missing here?
This is a user specific configuration. Again, like most of the rules,
you probably want to run setting EXTERNAL_NET and HOME_NET to any.
Thats a policy thing. You decide how you want to run it. We keep the
rules so its easy to tune one way or the other rapidly.
More information about the Snort-sigs