[Snort-users] Best External_Net setting

Roy S. Rapoport snort-users at ...9230...
Thu May 22 09:40:05 EDT 2003

On Thu, May 22, 2003 at 08:36:25AM -0500, Stephen W. Thomas wrote:
> I'm trying to find out what the pros and cons are to setting the
> external_net variable to "!$home_net" instead of "any" on a client's
> network.
> The network is currently configured where the internet feeds a router
> which feeds a firewall which feeds a Windows2k network. The network
> consists of Web servers, DNS servers, Exchange servers, and file
> servers. These are all on the same domain. Snort is monitoring that
> domain. My boss is trying to get rid of all of the false hits it's
> taking from inter-server traffic, so I thought that changing the
> External_Net variable to "!$Home_Net" would do it. However, I'm afarid
> if someone broke through the firewall, or spoofed an internal IP then
> we wouldn't get any hits on it.
> Does anyone have any thoughts on External_Net being defined as "any"
> or "!$Home_Net"?

I'm hardly an expert on IDS functionality or Snort specifically, but my
stance is that I want to have Snort be reliable enough in terms of its
alerting and avoidance of false positives that I'll feel comfortable
responding vigorously to alerts.  Given that, I want to do everything to
avoid FPs.  Given that, I think you've got to change *something* --
whether it's the rules themselves or the definition of EXTERNAL_NET.

For me, I found that Snort was giving me tons of FPs because my SNMP
polling station was polling various devices via SNMP; since EXTERNAL_NET
was 'anything', the SNMP rules caught this polling and alerted me.  

The question then becomes what your priority is -- ease and simplicity
of management, or catching every possible badness.  For me, for example,
if I changed EXTERNAL to exclude HOME, I'd get rid of FPs at the cost
of not catching it if one of my other devices got compromised and
someone on it started trying to do SNMP polling.  Alternatively, if I
have the time and energy, I could make it so my rules are so specific
that they allow SNMP access *only* from my SNMP polling station; SSH
access *only* from the system that's allowed to do that, etc.

I personally, at least for now, chose to define EXTERNAL as !HOME.


More information about the Snort-users mailing list