[Snort-users] Upgraded to 2.8.6 and external network addresses

Nick Moore nmoore at ...1935...
Thu Apr 29 18:07:47 EDT 2010


James,

One more thing: I often recommend leaving EXTERNAL_NET as "any". That way if
a machine in your HOME_NET gets infected and starts to misbehave, you will
see more rules trigger. Many rules are written as "alert tcp $EXTERNAL_NET
any -> $HOME_NET someport ('msg...."

Happy Snorting!

Nick

On Thu, Apr 29, 2010 at 4:11 PM, James R. Marcus <jmarcus at ...14853...>wrote:

> Yes I did misunderstand, thank you for posting the link, it was very
> helpful.
>
> James
>
>
> On Apr 29, 2010, at 4:56 PM, Burks, Doug wrote:
>
> > Hi James,
> >
> > I think you're misunderstanding the purpose of EXTERNAL_NET.  Quoting
> > from http://seclists.org/snort/2007/q1/3 :
> > "HOME_NET is a list of systems you are interested in protecting.
> > EXTERNAL_NET is a list of systems you are interested in protecting
> > HOME_NET from."
> >
> > Regards,
> > Doug Burks
> >
> > -----Original Message-----
> > From: James R. Marcus [mailto:jmarcus at ...14853...]
> > Sent: Thursday, April 29, 2010 4:46 PM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Upgraded to 2.8.6 and external network addresses
> >
> > Hi,
> > Pretty new to Snort. I upgraded to 2.8.6 today and I'm running on Cent
> > OS 5.3 64-bit. In reality I didn't upgrade, I removed (not uninstalled)
> > all the Snort binaries from my system and then installed an RPM of
> > 2.8.6. I copied a fair amount of my configuration from the snort.conf of
> > my earlier version.  I specified my Web servers, telnet servers (phone
> > system), etc in the configuration.  Then I came to the EXTERNAL_NET
> > variable and looked at the IPs assigned to my routers. I added the the
> > CIDR nets we were assigned.  So now I'm getting a lot fewer alerts, is
> > that because of the additonal detail I provided for network services and
> > external networks?
> >
> > I know it says a good start may be "any" but is that because some people
> > don't know their external CIDR net?
> >
> >
> > There aren't my real IPs:
> >
> >
> > # Set up the external network addresses.  A good start may be "any"
> > var EXTERNAL_NET [67.89.243.208/28,64.112.133.96/27,66.47.194.100/30]
> >
> >
> >
> > Thanks,
> > James
> > ------------------------------------------------------------------------
> > ------
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore at ...1935...
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com         www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100429/9936af3f/attachment.html>


More information about the Snort-users mailing list