[Snort-users] Internal Network vs. External Network
peter.bates at ...15381...
Wed Sep 12 11:21:55 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 12/09/2012 16:04, Turnbough, Bradley E. wrote:
> I have two networks behind my firewall which have a IDS
> requirement. They are both "Internal" because they're "inside" my
> Snort operates on "Internal" and "External" networks.
> Should I consider the "internal networks" the ones that require the
> IDS, and everything outside of them to be "external networks"?
Yes - a good starting point is generally
ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8]
ipvar EXTERNAL_NET !$HOME_NET
Obviously replacing the RFC1918 addresses with your actual public
There is an argument for
ipvar EXTERNAL_NET any
if your IDS is placed where it might see intra-network traffic - i.e.
traffic from one of your hosts to another typically indicative of
However generally the majority of unusual traffic these days seems to
be either heading from your HOME_NET to EXTERNAL_NET - or EXTERNAL_NET
attackers hitting services you may be running on HOME_NET.
Senior Computer Security Officer Phone: +44(0)2076792049
Information Services Division Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Snort-users