[Snort-users] EXTERNAL_NET: any vs !$HOME_NET

Hari Sekhon hpsekhon at ...14012...
Mon Jan 1 12:36:13 EST 2007

I've currently got "var EXTERNAL_NET any" in my snort.conf and was
considering making it "var EXTERNAL_NET !$HOME" instead, but looking
at the rules files, it seems that most rules will immediately
disregard any suspicious traffic from your HOME_NET in this case,
which basically blinds you to any internal threats.

I am also running snort on several servers that are not publicly
accessible (ie port forwards) but want to be able to see malicious or
suspicious traffic from all networks.

The current problem with the EXTERNAL_NET any is that a lot of rules
are throwing up too many false positives and it's very difficult to go
around writing pass rules for every other packet that goes through the
network interface (I exaggerate slightly)

It's seems a very difficult juggling act to on the one hand stop false
positives and
on the other to not totally negate the worth of the ids by making it too loose.

For example I have stacks of "MS Terminal server request RDP" alerts
coming from machines on my home net. I can see how changing the
EXTERNAL_NET would be a good idea to stop these unless they come from
outside the network, but considering that this also stops most rules
from matching if somebody attacks from a machine within the building
or any remote site connected via vpn (which are included in HOME_NET
and therefore excluded from EXTERNAL_NET)

Anybody got any advise on this?

Hari Sekhon

More information about the Snort-users mailing list