[Snort-users] Best practices for setting HOME_NET

waldo kitty wkitty42 at ...14940...
Sat Jan 12 02:32:33 EST 2013


On 1/11/2013 19:05, Joel Esler wrote:
> Correct. But if your sensor is sitting in a position to only watch traffic in
> and out of the network at the gateway, you wouldn't see that anyway.
>
> It depends on your sensor placement. "any" is a good default if you don't know
> what to do.

agreed... to a point... that point being that you may end up chasing your tail 
looking for internal infestations when they are external and possibly already 
blocked and simply being alerted on...

> On Jan 11, 2013, at 7:04 PM, Mike Miller <mike at ...16027...
> <mailto:mike at ...16027...>> wrote:
>
>> The example we've used is a machine being infected via thumbdrive, or an
>> infected Laptop being brought inside. Say 10.1.1.200
>>
>> Home_NET 10.1.1.0/24
>> EXTERNAL_NET !HOME_NET
>>
>> would miss an infected machine sweeping the inside for additional candidates.
>> It also might not catch 'encrypted traffic on a nonstandard port' when it
>> opens up an outbound connection for C&C.
>>
>>
>>
>> On Jan 11, 2013, at 4:58 PM, Joel Esler <jesler at ...1935...
>> <mailto:jesler at ...1935...>> wrote:
>>
>>> Depends on your deployment scenario.
>>>
>>> If you have a border gateway Snort, then Kevin's suggestion is great. If you
>>> have more of an internal LAN facing Snort, then your suggestion is valid.
>>>
>>> Where it really gets fun is when you define HOME_NET and then you define
>>> EXTERNAL_NET as HOME_NET.
>>>
>>> J
>>>
>>> On Jan 11, 2013, at 6:03 PM, Mike Miller <mike at ...16027...
>>> <mailto:mike at ...16027...>> wrote:
>>>
>>>> Not necessarily.
>>>>
>>>> Your IDS won't alert on an internal range attacking another internal range.
>>>>
>>>> I've seen:
>>>>
>>>> ipvar EXTERNAL_NET any
>>>>
>>>> to be more expansive.
>>>>
>>>> On Jan 11, 2013, at 11:34 AM, Kevin Ross <kevross33 at ...14012...
>>>> <mailto:kevross33 at ...14012...>> wrote:
>>>>
>>>>> It should be your internal network ranges or specifically the IPs or
>>>>> subnets you are trying to protect if you want to refine it further and
>>>>> consider even more to be "external". If you are really unsure you can set
>>>>> it as RFC 1918 addresses and then set EXTERNAL_NET to be anything not HOME_NET.
>>>>>
>>>>> i.e
>>>>> ipvar HOME_NET [ 10.0.0.0/8,172.16.0.0/12
>>>>> <http://10.0.0.0/8,172.16.0.0/12>, 192.168.1.0/16 <http://192.168.1.0/16> ]
>>>>> ipvar EXTERNAL_NET !$HOME_NET
>>>>>
>>>>> It is important to try and get this right so the rules are applied properly.
>>>>>
>>>>> Hope that helps,
>>>>> Kevin
>>>>>
>>>>>
>>>>> On 11 January 2013 04:02, Craig Merchant <cmerchant at ...16022...
>>>>> <mailto:cmerchant at ...16022...>> wrote:
>>>>>
>>>>>     What are the best practices for setting the HOME_NET variable in an
>>>>>     environment where multiple sensors exist at different sites or
>>>>>     datacenters? Is it considered best to set it to a network range that
>>>>>     encompasses all of the sites, or generally is it considered best to
>>>>>     treat intra-site traffic as external?____
>>>>>
>>>>>     __ __
>>>>>
>>>>>     Thx.____
>>>>>
>>>>>     __ __
>>>>>
>>>>>     Craig____





More information about the Snort-users mailing list