[Snort-sigs] ftp rules question - why only external to intern al?

Jerry.L.Rose at ...1475... Jerry.L.Rose at ...1475...
Fri Apr 25 11:18:12 EDT 2003

Thanks to all for the responses. I agree that the rules are easily tuned,
and that I can change them for my use as I see fit. I guess what I don't
understand is why the out-of-the-box rule isn't set to any > any. I imagine
there would be very few false positives with that configuration. The
implication is a trust of internal users with the standard configuration.
The benifits of using HOME_NET for ignoring outbound traffic generating
unwanted alerts, say for example http traffic from web surfing is important.
What I don't understand is why, for example if an internal user tried an
attempted password or shadow file upload/download, anyone running NIDS
wouldn't want to see that.

-----Original Message-----
From: Brian [mailto:bmc at ...95...]
Sent: Friday, April 25, 2003 1:09 PM
To: Rose, Jerry L
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] ftp rules question - why only external to

On Fri, Apr 25, 2003 at 09:35:29AM -0500, Jerry.L.Rose at ...1475...
> I see there are several "bad" sections in the ftp rules ("bad files"
> shown below). My question is why limit these to External network to and
> internal network? Wouldn't it be better to change them to any network to
> network? For example, if an internal user (located on the HOME_NET)
> attempted to download a "bad" file from any ftp server I'd like to know
> about it. What am I missing here?

This is a user specific configuration.  Again, like most of the rules,
you probably want to run setting EXTERNAL_NET and HOME_NET to any.

Thats a policy thing.  You decide how you want to run it.  We keep the
rules so its easy to tune one way or the other rapidly.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030425/92b320f4/attachment.html>

More information about the Snort-sigs mailing list