[Snort-users] Home Net

Chris Green cmg at ...671...
Mon Nov 26 18:04:03 EST 2001


"jamesh" <jamesh at ...3784...> writes:

> Is there an advantage (in terms of function of Snort) to specifying mail,
> dns, sql, ect servers instead of pointing all this to $HOME_NET ?
>

The more targeted you can make your ruleset, the better.  If you
control all the machines on your subnet and know when services are
enabled disabled ( using regular portscans or the like ), setting up
small $EMAIL_SERVERS etc. could be beneficial ( you could end up
slowing it down if you did massive lists of non contiguous ips though
).

The biggest benefit is if you know what vulnerabilities could be
critical for your servers versus noncritical ( so you can know how
quickly to act )

More often in the world I live in, we have no idea what all people are
running at any given time and given that you'll generally only see
traffic when a machine is running a particular service, using a set of
rules that all point to HOME_NET is the practical thing to do.
-- 
Chris Green <cmg at ...671...>
A watched process never cores.




More information about the Snort-users mailing list