[Snort-users] Best practices for setting HOME_NET

waldo kitty wkitty42 at ...14940...
Sat Jan 12 02:30:39 EST 2013


On 1/11/2013 19:04, Mike Miller wrote:
> The example we've used is a machine being infected via thumbdrive, or an
> infected Laptop being brought inside. Say 10.1.1.200
>
> Home_NET 10.1.1.0/24
> EXTERNAL_NET !HOME_NET
>
> would miss an infected machine sweeping the inside for additional candidates.

that's where an internal looking IDS would be employed ;)

> It also might not catch 'encrypted traffic on a nonstandard port' when it
> opens up an outbound connection for C&C.

and this is why there should be two rules... one for external looking at inbound 
traffic and internal looking at outbound traffic ;)

> On Jan 11, 2013, at 4:58 PM, Joel Esler <jesler at ...1935...
> <mailto:jesler at ...1935...>> wrote:
>
>> Depends on your deployment scenario.
>>
>> If you have a border gateway Snort, then Kevin's suggestion is great. If you
>> have more of an internal LAN facing Snort, then your suggestion is valid.
>>
>> Where it really gets fun is when you define HOME_NET and then you define
>> EXTERNAL_NET as HOME_NET.
>>
>> J
>>
>> On Jan 11, 2013, at 6:03 PM, Mike Miller <mike at ...16027...
>> <mailto:mike at ...16027...>> wrote:
>>
>>> Not necessarily.
>>>
>>> Your IDS won't alert on an internal range attacking another internal range.
>>>
>>> I've seen:
>>>
>>> ipvar EXTERNAL_NET any
>>>
>>> to be more expansive.
>>>
>>> On Jan 11, 2013, at 11:34 AM, Kevin Ross <kevross33 at ...14012...
>>> <mailto:kevross33 at ...14012...>> wrote:
>>>
>>>> It should be your internal network ranges or specifically the IPs or subnets
>>>> you are trying to protect if you want to refine it further and consider even
>>>> more to be "external". If you are really unsure you can set it as RFC 1918
>>>> addresses and then set EXTERNAL_NET to be anything not HOME_NET.
>>>>
>>>> i.e
>>>> ipvar HOME_NET [ 10.0.0.0/8,172.16.0.0/12 <http://10.0.0.0/8,172.16.0.0/12>,
>>>> 192.168.1.0/16 <http://192.168.1.0/16> ]
>>>> ipvar EXTERNAL_NET !$HOME_NET
>>>>
>>>> It is important to try and get this right so the rules are applied properly.
>>>>
>>>> Hope that helps,
>>>> Kevin
>>>>
>>>>
>>>> On 11 January 2013 04:02, Craig Merchant <cmerchant at ...16022...
>>>> <mailto:cmerchant at ...16022...>> wrote:
>>>>
>>>>     What are the best practices for setting the HOME_NET variable in an
>>>>     environment where multiple sensors exist at different sites or
>>>>     datacenters? Is it considered best to set it to a network range that
>>>>     encompasses all of the sites, or generally is it considered best to
>>>>     treat intra-site traffic as external?____
>>>>
>>>>     __ __
>>>>
>>>>     Thx.____
>>>>
>>>>     __ __
>>>>
>>>>     Craig____




More information about the Snort-users mailing list