[Snort-users] Finding rules for internal network

Matt Kettler mkettler at ...4108...
Mon Feb 7 13:47:14 EST 2005

At 04:10 PM 2/7/2005, sEc nErD wrote:
>I am trying to work through a snort box on debian configured by some other 
>engineer for the rule sets.
>I have to find why the snort is able to detect outside scans on the 
>network but not able to detect inside scans ,for inside scan scanner used 
>is Super Scan
>Could anybody tell me where exactly to look for in the rule set snort.conf?

For rules, most rules in snort look for attacks from "EXTNERAL_NET" to 
"HOME_NET", and ignore attacks not coming from EXTERNAL_NET.

If you want to monitor attacks in general, HOME_NET and EXTERNAL_NET should 
both be set to "any".

Also, you need to be sure that the snort box will even see the traffic in 
question. It's pretty much impossible to monitor all traffic inside an 
entire lan, unless you only use hubs. With switches you can use spanning to 
monitor one or more ports, but it's difficult to capture everything on all 
ports without the switch dropping packets.

Also, be aware that the portscan preprocessors handle things differently, 
and you may need to modify their parameters separately.

More information about the Snort-users mailing list