[Snort-users] false positive + NAT

Lee Brotherston lee.brotherston at ...2716...
Mon Sep 17 06:59:05 EDT 2001


| We do network address translation (hide mode) on the firewall.
| 
| I have a lot of alerts like 
| 
| WEB-MISC http directory traversal
| WEB-MISC ultraboard access
| WEB-MISC whisker head
| 
| source IP		: our firewall, high ports
| destination IP	: web sites, port 80
| 
| This is obviously the traffic back to the web servers, 
| firstly originated by
| our users from the Internal LAN.
| 
| I am wondering how not to log this kind of traffic, and why does snort
| identify this as an attempt.

The best way is to modify the rules so that they look something like:

alert tcp !$HOME_NET -> $HTTP_SERVERS

or to set $EXTERNAL_NET to be !$HOME_NET in your snort.conf

This way attempts are only logged if they come from outside of your address
space.

However if you are doing this, it's best to make sure that you are using
private IP addressing and have anti-spoofing on your LAN, or else you might
neglect to log genuine bad traffic.

There is always the argument about the percentage of hack attempts that
originate internally of course ;)

I have found that you do get a number of false positives from the default
rule set, I would tend to use it as a template rather than a definitive
set-up.  Rather than dropping internal traffic, you might try to cut down
the amount of data to analyse dropping rules that are of no interest to you,
for example if your website is designed to allow directory traversal then
there is not allot of need to log it?

Thanks

  Lee

-- 
Lee Brotherston  -  IP Security Manager, Easynet Ltd
http://www.easynet.net/         Phone: +44 20 7900 4444




More information about the Snort-users mailing list