[Snort-users] Best practices for setting HOME_NET

Joel Esler jesler at ...1935...
Fri Jan 11 19:05:14 EST 2013


Correct.  But if your sensor is sitting in a position to only watch traffic in and out of the network at the gateway, you wouldn't see that anyway.

It depends on your sensor placement.  "any"  is a good default if you don't know what to do.


On Jan 11, 2013, at 7:04 PM, Mike Miller <mike at ...16027...> wrote:

> The example we've used is a machine being infected via thumbdrive, or an infected Laptop being brought inside. Say 10.1.1.200 
> 
> Home_NET  10.1.1.0/24
> EXTERNAL_NET !HOME_NET
> 
> would miss an infected machine sweeping the inside for additional candidates. It also might not catch 'encrypted traffic on a nonstandard port' when it opens up an outbound connection for C&C.
> 
> 
> 
> On Jan 11, 2013, at 4:58 PM, Joel Esler <jesler at ...1935...> wrote:
> 
>> Depends on your deployment scenario.  
>> 
>> If you have a border gateway Snort, then Kevin's suggestion is great.  If you have more of an internal LAN facing Snort, then your suggestion is valid.
>> 
>> Where it really gets fun is when you define HOME_NET and then you define EXTERNAL_NET as HOME_NET.
>> 
>> J
>> 
>> On Jan 11, 2013, at 6:03 PM, Mike Miller <mike at ...16027...> wrote:
>> 
>>>  Not necessarily. 
>>> 
>>> Your IDS won't alert on an internal range attacking another internal range. 
>>> 
>>> I've seen:
>>> 
>>> ipvar EXTERNAL_NET any
>>> 
>>> to be more expansive. 
>>> 
>>> On Jan 11, 2013, at 11:34 AM, Kevin Ross <kevross33 at ...14012...> wrote:
>>> 
>>>> It should be your internal network ranges or specifically the IPs or subnets you are trying to protect if you want to refine it further and consider even more to be "external". If you are really unsure you can set it as RFC 1918 addresses and then set EXTERNAL_NET to be anything not HOME_NET.
>>>> 
>>>> i.e
>>>> ipvar HOME_NET [ 10.0.0.0/8,172.16.0.0/12, 192.168.1.0/16 ]
>>>> ipvar EXTERNAL_NET !$HOME_NET
>>>> 
>>>> It is important to try and get this right so the rules are applied properly.
>>>> 
>>>> Hope that helps,
>>>> Kevin
>>>> 
>>>> 
>>>> On 11 January 2013 04:02, Craig Merchant <cmerchant at ...16022...> wrote:
>>>> What are the best practices for setting the HOME_NET variable in an environment where multiple sensors exist at different sites or datacenters?  Is it considered best to set it to a network range that encompasses all of the sites, or generally is it considered best to treat intra-site traffic as external?
>>>> 
>>>>  
>>>> 
>>>> Thx.
>>>> 
>>>>  
>>>> 
>>>> Craig
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
>>>> much more. Get web development skills now with LearnDevNow -
>>>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
>>>> SALE $99.99 this month only -- learn more at:
>>>> http://p.sf.net/sfu/learnmore_122812
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
>>>> much more. Get web development skills now with LearnDevNow -
>>>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
>>>> SALE $99.99 this month only -- learn more at:
>>>> http://p.sf.net/sfu/learnmore_122812_______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>> 
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>> 
>>> ------------------------------------------------------------------------------
>>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
>>> much more. Get web development skills now with LearnDevNow -
>>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
>>> SALE $99.99 this month only -- learn more at:
>>> http://p.sf.net/sfu/learnmore_122812_______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130111/46f3adb3/attachment.html>


More information about the Snort-users mailing list