[Snort-users] snort.conf

James Riden j.riden at ...11179...
Wed Apr 21 02:01:15 EDT 2004


"AJ Butcher, Information Systems and Computing" <Alex.Butcher at ...11254...> writes:

> --On 20 April 2004 19:18 -0400 Matt Kettler <mkettler at ...4108...> wrote:
>
>> In general, EXTERNAL_NET should be set to whatever IP addresses you want
>> to monitor as potential sources of attack. "any" is a good starting
>> point, but !HOME_NET also has it's merits in that you save CPU time by
>> not checking packets generated by your own network as a source of attack.
>>
>> However, what you want/need to monitor is very dependent on what kind of
>> network you run. For example, if you worked for a university, it might
>> well be that you would reverse the typical meanings of HOME and EXTERNAL
>> and monitor for attacks coming from your computer labs and being launched
>> into the rest of the world.
>
> ...or even monitor from any to any. :-)
>
> IMHO, just like outbound (aka egress) filtering, this is good practice
> and shouldn't just be done by universities.

A lot of my signatures, especially for viruses/worms look for stuff
originating from inside and heading anywhere. Frankly, I expect there
to be viruses outside, so that's not news. If it's coming from inside,
panic time.

It comes naturally after a bit of tweaking - except with flexresp I'm
very careful not to send RSTs/port unreachables to external addresses.

-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-users mailing list