[Snort-sigs] ftp rules question - why only external to intern al?
mkettler at ...189...
Fri Apr 25 14:55:01 EDT 2003
At 12:15 PM 4/25/2003 -0500, Jerry.L.Rose at ...1475... wrote:
>Thanks to all for the responses. I agree that the rules are easily tuned,
>and that I can change them for my use as I see fit. I guess what I don't
>understand is why the out-of-the-box rule isn't set to any > any. I
>imagine there would be very few false positives with that configuration.
>The implication is a trust of internal users with the standard
>configuration. The benifits of using HOME_NET for ignoring outbound
>traffic generating unwanted alerts, say for example http traffic from web
>surfing is important. What I don't understand is why, for example if an
>internal user tried an attempted password or shadow file upload/download,
>anyone running NIDS wouldn't want to see that.
In general the paradigm of the default ruleset is to watch for attacks from
the external net to the internal net. Note that there's no strict rule as
to what "internal" and "external" need to be defined as in terms of
If you really want to watch for outbound attacks as well as inbound ones,
rather than tuning individual rules, you should just consider setting
external_net and internal_net both to "any". The same argument you make
about this rule applies to pretty much EVERY rule in the ruleset.
The drawback of using "any" for home and external is that the snort rule
takes longer to run, but does let you watch for the inside network
attacking outside machines. This means it has to inspect all FTP traffic,
not just connections to a server within HOME_NET, which is a lot more overhead.
I think the best guideline is to set HOME_NET to the list of machines you
want to watch for attacks, and EXTERNAL_NET to the list of machines you
check as sources of attack. Pick the minimal set you can for each category
to reduce CPU overhead and false alerts, or pick any/any if you have CPU to
spare and don't mind extra alerts.
Note that using the above concept means that in some cases your
"EXTERNAL_NET" becomes the local LAN, and the HOME_NET is everything else
on the internet. A good example where this might apply (depending on
network specifics) is a public-access lab at a college campus. Of course,
you might actually use an any/any configuration here too, depending on how
the firewall is configured.
Overall I'd say it's generally a bad idea to try to enforce a particular
paradigm at the rule level.... leave that up to the var definitions. This
is where someone can configure snort to watch for inbound attacks, outbound
attacks, or both, and do so without having to have the default snort
ruleset hacked up.
More information about the Snort-sigs