[Snort-users] Not able to catch internal attacks

Frank Knobbe FKnobbe at ...649...
Tue Oct 17 23:27:38 EDT 2000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David,

yes it can. The definition of outside and inside is preferred when
you want to protect your internal network form intrusion from the
outside. But it doesn't have to be that way. You are right, users in
side can use trojans, launch DoS attacks, etc. as well.

Within the snort script, you specify the source and destination of
traffic. For above example you would define your complete internal
network as internal, and reference !internal (not internal) in the
script to mask external addresses. But that does not have to be that
way. You can also setup, for example, accounting-net with its network
address range, and use !accounting-net to describe the rest of the
(internal) network. You can also create references to individual
servers (i.e. email-server) and use the negated reference to describe
everything else on your LAN (!email-server).

As you can see, you are completely flexible in the construction of
the rule-sets. That allows you to catch 'inside -> inside' attacks
(i.e. !email-server -> email-server or !accounting-net ->
accounting-net). You can setup up different rule sets for different
network segments you would like to monitor.

The advantage snort has above some of the other IDS systems is that
you can be extremely specific in describing attack patterns (which
involves source and destination). 

Also keep in mind that you can always use ANY to describe any source
or destination machine, so you can create rules that alert for
specific traffic to one machine from any other.

Regards,
Frank


> -----Original Message-----
> From: David Harris [mailto:davidh at ...643...]
> Sent: Tuesday, October 17, 2000 8:55 PM
> 
> I always thought one of the advantages of IDS systems were 
> that they were
> able to detect attacks coming from the internal network.  But 
> with the way
> the rules are set up this is not going to happen as most 
> signatures are
> based on "Outside -> Inside" or "Inside -> Outside" so its 
> wont log any
> "Inside -> Inside" attacks.
> 
> - David Harris

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOe0YqURKym0LjhFcEQIRFACfSAzUsZ5eUwE7fpFhBc7bWpYM5r8AoODc
d6esQJQlCzRKw0VC4EQvriYP
=rJO6
-----END PGP SIGNATURE-----



More information about the Snort-users mailing list