[Snort-users] External Subnets

adam_peterson at ...10608... adam_peterson at ...10608...
Tue Nov 25 18:15:06 EST 2003


I can't believe that the "!" I chose as an example does what I asked.
That's hilarious.  Thanks for the help and to address the issue you bring
up, I plan to setup a 2nd sensor like this and run it in parallel with my
existing sensor so I can see which alerts I'm missing.  I currently receive
far too many alerts for behaviors that would only be harmful if they were
sent from outside my networks so instead of excluding those rules as I've
done in the past, I'd like to see how they behave with the external_net
variable "properly" defined.

Adam Peterson | Senior WAN Engineer | SPL WorldGroup |
adam_peterson at ...10608... | +1.415.357.4787


                                                                                                                                       
                      Erwin Van de                                                                                                     
                      Velde                    To:       adam_peterson at ...10608..., snort-users at lists.sourceforge.net                    
                      <erwin.vandevelde        cc:                                                                                     
                      @ua.ac.be>               Subject:  Re: [Snort-users] External Subnets                                            
                                                                                                                                       
                      11/26/2003 02:27                                                                                                 
                      AM CET                                                                                                           
                                                                                                                                       
                                                                                                                                       




I haven't tried it yet, and while it's 2:30 AM here in Belgium it will have
to
wait till tomorrow :-)
But I think yes, and if not, why don't you say then
var NETWORK = 192.168.0.0/24
var EXTERNAL_NET = !$NETWORK
for example?

Although I don't think it's such a good idea to take anything else than
'any'
for the $EXTERNAL_NET, as many attack rules are based on the fact that the
attacker is on the external net. By setting this to something like
!$NETWORK,
every employee in your firm on $NETWORK can attack any host on your network

unnoticed, which cannot be what you meant it to be I think...
Any ideas on this?

Greetz,
Erwin Van de Velde
Student of the Antwerp University,
Belgium


On Wednesday 26 November 2003 01:10, adam_peterson at ...10608... wrote:
> Is it possible to specify a negative variable value for a variable?
> Meaning:
>
> var EXTERNAL_NET        !HOME_NET
>
> The bang is just an idea of something that would negate the value so that
> my external_net variable would be any ip/subnet that isn't part of the
> home_net variable.  Is there anything in place to allow for this?  Could
> there be?  Since so many of the rules are based on the external_net
> variable, it's very frustrating that it must be set to ANY for my
> configurations because I can't specifiy every subnet on the Internet...or
> can I?
>
> Any help/advice is greatly appreciated.
>
> Adam Peterson | Senior WAN Engineer | SPL WorldGroup |
> adam_peterson at ...10608...









More information about the Snort-users mailing list