[Snort-users] Snort rules
mkettler at ...4108...
Tue Feb 8 17:01:20 EST 2005
At 03:16 PM 2/8/2005, sEc nErD wrote:
>port scans like $external any-->$Home Network
>Now the client is questioning us as to why this should not be checked both
>ways..he is saying if it is somebody in their network doing a port scan it
>will go unnoticed.
>can anybody answer this?
Really, this is a confusion on your part, but one you've been led to by the
choice of wording for "EXTERNAL_NET" and "HOME_NET". Don't take those names
EXTERNAL_NET should be set to all the hosts that you do not trust. For most
networks, this is everything except HOME_NET, but for some networks this is
HOME_NET should be set to all the hosts you want to monitor as a target of
attacks. For most networks, this is everything inside, but for some
networks, this is the whole world.
Choose EXTERNAL_NET and HOME_NET settings accordingly. Sounds like your
client wants EXTERNAL_NET set to "any" and HOME_NET set to their network IPs.
However, even setting EXTERNAL_NET to any will not likely wind up detecting
scans running inside a LAN, because the LAN network is switched. Because of
the switching snort will not see the packets at all, as they are not even
going to arrive at the snort box in the first place.
Monitoring the inside of a lan is tricky, and it's impossible to monitor
ALL the traffic inside a lan. Your best bet is using port mirroring on some
of your critical trunk ports at the core of the network, or near the server
If this is lost on you, read up on how ethernet switching works. Read in
DETAIL. It's very critical you understand the concepts behind switching
before even considering trying to set up an in-lan snort sensor. In fact,
you really should understand how switching works at a basic level before
setting up ANY snort sensor at all. It's very easy to do something like
plug snort into a switch port and wonder why it detects nothing until you
enable port mirroring.
More information about the Snort-users