[Snort-users] Internal Network vs. External Network

Peter Bates peter.bates at ...15381...
Wed Sep 12 11:21:55 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 12/09/2012 16:04, Turnbough, Bradley E. wrote:
> I have two networks behind my firewall which have a IDS
> requirement.  They are both "Internal" because they're "inside" my
> company.
> 
> Snort operates on "Internal" and "External" networks.
> 
> Should I consider the "internal networks" the ones that require the
> IDS, and everything outside of them to be "external networks"?

Yes - a good starting point is generally

ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8]
ipvar EXTERNAL_NET !$HOME_NET

Obviously replacing the RFC1918 addresses with your actual public
address ranges.

There is an argument for

ipvar EXTERNAL_NET any

if your IDS is placed where it might see intra-network traffic - i.e.
traffic from one of your hosts to another typically indicative of
worm-like activity.

However generally the majority of unusual traffic these days seems to
be either heading from your HOME_NET to EXTERNAL_NET - or EXTERNAL_NET
attackers hitting services you may be running on HOME_NET.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQUKiTAAoJELhVoVpEMS6RY5MH/1XKSjE7vmQcT/GpeJRmdH3Z
XRzGSMYg/pkMbmk+fds2/LowBcIuB7ngojMNnBOHawqffVvJYBi1/SO+IhdJzMyo
WJg4dytclwGNaj97FQPbr6HYQKRGQf2Oqj4fkFmfMkoln0t5aNQGI0K5BO6eY2Q5
z4YOFjebz4QXAN6zQu9xW888iS8rcR9g/Bzc50+meQSpnb6xlMYi7Ag5VJ6pCDl/
qQbpanaDHlf+kXsKT7GUGT2idGP1/Q5NoeK8HG/YHvQc9KwI1oR0Pg2nKWp9wvr9
+9OfgP7o1fxb0PDCGxdbZ1xJmeiKkgGMF93cAX0IivkQKuHtN0NeuCbCFH7UEr4=
=69uv
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list