[Snort-users] Snort rules

Matt Kettler mkettler at ...4108...
Tue Feb 8 17:01:20 EST 2005


At 03:16 PM 2/8/2005, sEc nErD wrote:
>port scans like $external any-->$Home Network
>Now the client is questioning us as to why this should not be checked both 
>ways..he is saying if it is somebody in their network doing a port scan it 
>will go unnoticed.
>can anybody answer this?
Really, this is a confusion on your part, but one you've been led to by the 
choice of wording for "EXTERNAL_NET" and "HOME_NET". Don't take those names 
too litteraly.

EXTERNAL_NET should be set to all the hosts that you do not trust. For most 
networks, this is everything except HOME_NET, but for some networks this is 
the world.


HOME_NET should be set to all the hosts you want to monitor as a target of 
attacks. For most networks, this is everything inside, but for some 
networks, this is the whole world.

Choose EXTERNAL_NET and HOME_NET settings accordingly. Sounds like your 
client wants EXTERNAL_NET set to "any" and HOME_NET set to their network IPs.

However, even setting EXTERNAL_NET to any will not likely wind up detecting 
scans running inside a LAN, because the LAN network is switched. Because of 
the switching snort will not see the packets at all, as they are not even 
going to arrive at the snort box in the first place.

Monitoring the inside of a lan is tricky, and it's impossible to monitor 
ALL the traffic inside a lan. Your best bet is using port mirroring on some 
of your critical trunk ports at the core of the network, or near the server 
farm.

  If this is lost on you, read up on how ethernet switching works. Read in 
DETAIL. It's very critical you understand the concepts behind switching 
before even considering trying to set up an in-lan snort sensor. In fact, 
you really should understand how switching works at a basic level before 
setting up ANY snort sensor at all. It's very easy to do something like 
plug snort into a switch port and wonder why it detects nothing until you 
enable port mirroring.









More information about the Snort-users mailing list