[Snort-users] How can i stop alerts that come from my own ip range?

Joe Pampel jpampel at ...14829...
Thu May 6 11:13:32 EDT 2010


since you can have attacks from HOME_NET to HOME_NET I have long thought it was best practice to leave EXTERNAL_NET as "ANY".
it means more tweaking to deal with specific internal services which trip the system, but isn't it worth it in the end?

"Swordfish" fantasies aside, your biggest threats are probably not super hackers getting through the firewalls through some magic;  it's probably a user hitting a bad web server or a zero-day email attachment exploit.  It's so much easier to get something in that way and have it spread locally and/or phone home, etc. (or via sneakernet on someone's USB flash drive...)  You really need internal visibility or else you just have a hard shell with a squishy middle.

Just look at the recent Google hack.... a URL in an IM was what they used. Very effective...

JM2C, YMMV and the usual disclaimers apply.

On May 6, 2010, at 10:48 AM, Paul Schmehl wrote:

> If you make EXTERNAL_NET any, it would include your own HOME_NET.  Depending
> upon routing or the way a sig is written, you could then get alerts from
> HOME_NET to HOME_NET.
>
> I thought the standard convention was
>
> var HOME_NET [your address space]
> var EXTERNAL_NET !$HOME_NET
>
> --On Wednesday, May 05, 2010 11:40:10 -0400 Joel Esler <jesler at ...1935...>
> wrote:
>
>> Yeah, I wouldn't do a pass rule at all.  Sounds like to me, exactly what
>> Matt said.  Define your HOME_NET as the network you want to protect.
>>  EXTERNAL_NET, leave as any.  Go from there.
>>
>>
>> On Wed, May 5, 2010 at 11:36 AM, Stephen Mullins
>> <steve.mullins.work at ...11827...> wrote:
>>
>> You could just create 3 pass rules (tcp, udp, icmp) based on your
>> $HOME_NET variable.
>>
>> Wouldn't recommend it, though, since traffic from your home net may be
>> indicative of trojan call backs and so forth.
>>
>> You want to pass all traffic with a source IP within your $HOME_NET
>> variable with a destination that you didn't state.  I suppose you want
>> to pass all home_net to home_net traffic?  Passing all home_net to
>> !home_net traffic would be a "pretty bad idea."
>>
>> Steve Mullins
>>
>>
>> On Wed, May 5, 2010 at 10:42 AM, Pat McNamara <pmcnamara at ...14830...> wrote:
>>
>>
>>
>>> Hi all,
>>> what I am trying to do is any alerts that come from my ip range is to have
>>> snort disregard them and not even write them to the MySql database. I think
>>> it must be some how set in the external_Net but I can't seem to figure it
>>> out.
>>> Thanks
>>> Pat
>>>
>>> Pat McNamara
>>> IT Systems Administrator
>>> .NU domain, Ltd.
>>> Worldnames, Inc.
>>> +1-508-359-5600 x116
>>> pmcnamara at ...14830...
>>>
>>>
>>>
>>>
>>
>>
>>
>>> ----------------------------------------------------------------------------
>>> --
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>
>
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s).




More information about the Snort-users mailing list