[Snort-sigs] ftp rules question - why only external to intern al?

Matt Kettler mkettler at ...189...
Fri Apr 25 14:55:01 EDT 2003

At 12:15 PM 4/25/2003 -0500, Jerry.L.Rose at ...1475... wrote:
>Thanks to all for the responses. I agree that the rules are easily tuned, 
>and that I can change them for my use as I see fit. I guess what I don't 
>understand is why the out-of-the-box rule isn't set to any > any. I 
>imagine there would be very few false positives with that configuration. 
>The implication is a trust of internal users with the standard 
>configuration. The benifits of using HOME_NET for ignoring outbound 
>traffic generating unwanted alerts, say for example http traffic from web 
>surfing is important. What I don't understand is why, for example if an 
>internal user tried an attempted password or shadow file upload/download, 
>anyone running NIDS wouldn't want to see that.

In general the paradigm of the default ruleset is to watch for attacks from 
the external net to the internal net. Note that there's no strict rule as 
to what "internal" and "external" need to be defined as in terms of 
physical machines.

If you really want to watch for outbound attacks as well as inbound ones, 
rather than tuning individual rules, you should just consider setting 
external_net and internal_net both to "any". The same argument you make 
about this rule applies to pretty much EVERY rule in the ruleset.

The drawback of using "any" for home and external is that the snort rule 
takes longer to run, but does let you watch for the inside network 
attacking outside machines. This means it has to inspect all FTP traffic, 
not just connections to a server within HOME_NET, which is a lot more overhead.

I think the best guideline is to set HOME_NET to the list of machines you 
want to watch for attacks, and EXTERNAL_NET to the list of machines you 
check as sources of attack. Pick the minimal set you can for each category 
to reduce CPU overhead and false alerts, or pick any/any if you have CPU to 
spare and don't mind extra alerts.

Note that using the above concept means that in some cases your 
"EXTERNAL_NET" becomes the local LAN, and the HOME_NET is everything else 
on the internet. A good example where this might apply (depending on 
network specifics) is a public-access lab at a college campus. Of course, 
you might actually use an any/any configuration here too, depending on how 
the firewall is configured.

Overall I'd say it's generally a bad idea to try to enforce a particular 
paradigm at the rule level.... leave that up to the var definitions. This 
is where someone can configure snort to watch for inbound attacks, outbound 
attacks, or both, and do so without having to have the default snort 
ruleset hacked up.

More information about the Snort-sigs mailing list