[Snort-users] various snort rules files under www.snort.org/Files/rule_breakout

Phil Wood cpw at ...440...
Mon Jan 22 20:10:59 EST 2001


I noticed a number of rules looking for HOME_NET -> HOME_NET in 
some of the files at http://www.snort.org/Files/rule_breakout,
like  http://www.snort.org/Files/rule_breakout/backdoor-activity.hog.

In our world, those packets get dropped at the router.  It's considered
bad form to send packets to us from our own address space.

I assume it would be appropriate to modify the rules for our
local conditions and make something like EXTERNAL_NET <> HOME_NET
when watching outside while leaving as is, if watching for 
corrupted internal hosts on an internal interface?

Did I say that right?



More information about the Snort-users mailing list