[Snort-users] snort.conf

AJ Butcher, Information Systems and Computing Alex.Butcher at ...11254...
Wed Apr 21 00:40:04 EDT 2004


--On 20 April 2004 19:18 -0400 Matt Kettler <mkettler at ...4108...> wrote:

> At 03:05 PM 4/20/2004, Chuck Holley wrote:
[snip]
>>  What does the external_net mean??  I guess I am looking for a sample
>> conf with explanations of my options and what they mean.  I am brand new
>> to IDS, excuse my ignorance.
>
> EXTERNAL_NET is just a variable used by many rules in the ruleset. Most
> of the default ruleset looks for attacks which come from an IP address in
> EXTERNAL_NET and go to HOME_NET. Others look for exploit responses going
> the other way.
>
> In general, EXTERNAL_NET should be set to whatever IP addresses you want
> to monitor as potential sources of attack. "any" is a good starting
> point, but !HOME_NET also has it's merits in that you save CPU time by
> not checking packets generated by your own network as a source of attack.
>
> However, what you want/need to monitor is very dependent on what kind of
> network you run. For example, if you worked for a university, it might
> well be that you would reverse the typical meanings of HOME and EXTERNAL
> and monitor for attacks coming from your computer labs and being launched
> into the rest of the world.

...or even monitor from any to any. :-)

IMHO, just like outbound (aka egress) filtering, this is good practice and 
shouldn't just be done by universities.

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list