[Snort-users] Home_net/External Net question

John Duksta jduksta at ...11827...
Thu Sep 9 03:05:28 EDT 2004


On Wed, 8 Sep 2004 13:34:53 -0700 (PDT), Seth Art <adidas30 at ...131...> wrote:
> Background:
> 
> I have 2 firewalls, each monitoring 3 subnets.
> 
> Subnets a, b, and c and VPN pool1 are going out/coming
> in though firewall one.
> Subnets d, e, and f and VPN pool2 are going out/coming
> in though firewall two.
> 
> On my sensor inside of Firewall 1 HOME_NET is
> [a,b,c,vpnpool1]
> On my sensor inside of Firewall 2 HOME_NET is
> [d,e,f,vpnpool2]
> 
> EXTERNAL_NET on both are !$HOME_NET
> 
> a) keep the home_nets the same but make a new variable
>  called entire_home_net and include all 6 subnets and
> both vpn pools and negate THAT for the external_net
> 
> b) add subnets a-f and both vpn pools to the home_net
> var on each sensor (i don't think so)

With the way the majority of the stock snort rules are written
(EXTERNAL_NET -> HOME_NET),
option a and option b end up being essentially the same. For option a,
if you have traffic going
from net C to net F, it's not going to trigger a rule because you
won't get an address match ( C -> F
is HOME_NET to ENTIRE_HOME_NET, thus no match.)

You're really going to have to make this determination based upon your
security policy. Do you
consider each environment (Nets A,B,C,VPN Pool1 and Nets D,E,F, VPN
Pool 2) to be a threat
to each other? Are there resources in each group that need to be kept
separate or are these
just two different sites, each with the same kind of users and
security policy and traffic flowing
freely between them? If the latter, I would recommend adding all your
possible networks (A-F,
VPN Pools 1 and 2) to your home net to reduce your FPs.

HTH,

-j

-- 
John Duksta <jduksta at ...11827...>
Can't sleep, clowns will eat me.




More information about the Snort-users mailing list