[Snort-users] Rules optimization

Erek Adams erek at ...950...
Fri Jun 20 08:22:06 EDT 2003


On Fri, 20 Jun 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:

> 1. I have multiple subnets in the segment where i'm monitoring the data. is
> it possible to add multiple segments in HOME_NET

	var HOME_NET [10.10.10.0/24,10.20.20.0/24]

If you do that, try and use the best CIDR notation that you can.  The more
subnets you have listed the more impact it will have on the speed of the
program.

> 2. if i add my subnets to HOME_NET, will it be able to capture both
> attaks coming into my network as well as attaks being generated from my
> Network. I'm basically monitoring company's internal network and
> interested in both.

Well, that depends on how you have EXTERNAL_NET set.  Quite a few of the
rules are setup like EXTERNAL_NET -> HOME_NET.  You have two options:

	var HOME_NET any
	var EXTERNAL_NET any

Or run two instances of Snort.  One with a 'incoming' config, and then one
with an 'outgoing' config.

I'll warn you now, you'll see so many false positives using the any,any
thing that it'll make you crazy.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list