[Snort-users] exclude home_net from external_net

Gary Flynn flynngn at ...6811...
Thu Oct 24 07:16:17 EDT 2002


pilsl at ...7275... wrote:
> 
> Now I got myriads of alerts when internal clients connect to our squid
> server. Of course this is not what I want (alerts are only userful on
> external connects),
<snip>

I'd strongly disagree with this. It depends a lot on the
signature. A signature that tells me external systems are
performing code red/nimda scans is useless. On the other
hand, one that tells me internal systems are performing
those scans are very useful indeed.

Accurate signatures that are tripped from the outside, often
indicate only an attempt or scan. Accurate signatures tripped
from the inside, often indicate a compromised box or 
inappropriate behavior.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe




More information about the Snort-users mailing list