[Snort-users] Best External_Net setting

Erek Adams erek at ...950...
Thu May 22 07:36:03 EDT 2003


On Thu, 22 May 2003, Stephen W. Thomas wrote:

> I'm trying to find out what the pros and cons are to setting the
> external_net variable to "!$home_net" instead of "any" on a client's
> network.
>
> The network is currently configured where the internet feeds a router
> which feeds a firewall which feeds a Windows2k network. The network
> consists of Web servers, DNS servers, Exchange servers, and file
> servers. These are all on the same domain. Snort is monitoring that
> domain. My boss is trying to get rid of all of the false hits it's
> taking from inter-server traffic, so I thought that changing the
> External_Net variable to "!$Home_Net" would do it. However, I'm afarid
> if someone broke through the firewall, or spoofed an internal IP then we
> wouldn't get any hits on it.
>
>  Does anyone have any thoughts on External_Net being defined as "any" or
> "!$Home_Net"?

These are only my opinions...  With using 'any' you have the widest
coverage possible.  Snort would examine each and every packet to see if
there was a rule match.  There's also the huge increase in false positives
that you have to contend with.

By swaping over to use !$HOME_NET you limit the amount of data, which does
a few things:  Makes Snort faster, Cut down on False Postives and reduce
memory useage.  With fewer checks to make (all IP's vs all IP's minus
some), Snort will process packets more quickly.  This may only be an issue
if you are on at a high utilization site.

If you're worried about missing things, then add a few rules that catch
'wierd stuff'.  Something like:

	alert ip $WEB_SERVERS any -> $EXTERNAL_NET any (msg:"Outgoing
	SYN from the webserver!"; flags:S;)

Since nothing in WEB_SERVERS should initiate an outgoing connection.  You
can massage that to work for other servers as needed.  For some more
examples check the archives under 'anomaly detection' [0].  There's been
some discussion about how to use standard Snort rules to detect 'wierd
things'.

Is there a perfect setting?  Nope.  Is there one that might work for you?
Yep.  :)

Hope that helps!

-----
Erek Adams
   "When things get weird, the weird turn pro."   H.S. Thompson


[0] http://marc.theaimsgroup.com/?l=snort-users&w=2&r=1&s=anomaly+detection&q=b
    http://marc.theaimsgroup.com/?t=104504313900002&r=1&w=2
    http://marc.theaimsgroup.com/?l=snort-users&m=104547413832200&w=2




More information about the Snort-users mailing list