[Snort-users] home_net & external_net question

Joel Esler jesler at ...1935...
Tue Jul 16 11:50:51 EDT 2013


I figured that was the case.  Okay, someone that has pfsense on the list will have to write you back then, I’m not sure how that interaction works.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jul 16, 2013, at 3:13 AM, slava at ...13788... wrote:

> On 16.07.2013 02:09, Joel Esler wrote:
>> Are you using a snort in inline mode, or is it built into a firewall?
> Thanks, Joel.
> That's a pfsense snort instance.A rather old one (2.9.2.3), but
> nevertheless.
> So, it's built into the firewall.
> 
> -- 
> Slava
> 
>> 
>> 
>> --
>> Joel Esler
>> Sent from my iPad
>> 
>> On Jul 15, 2013, at 5:57 PM, "slava at ...13788..." <slava at ...13788...> wrote:
>> 
>>> Hello,
>>> 
>>> I'm not very skilled with snort. But have some understanding of how it
>>> works.
>>> So here is my situation:
>>> We have a snort instance, which protect out internal network.
>>> HOME_NET is set with a bunch of internal networks.
>>> EXTERNAL_NET is set as !$HOME_NET
>>> Today a few sites have been infected with a trojan, and upon it
>>> activation, all sites from our internal network have been blocked at once.
>>> 
>>> My question is : Did snort acted correctly by blocking IPs from HOME_NET
>>> or not ?
>>> Should snort not block networks listed in HOME_NET no matter what ?
>>> 
>>> 
>>> Appreciate any help.
>>> Thank you,
>>> Slava
>>> 
>>> ------------------------------------------------------------------------------
>>> See everything from the browser to the database with AppDynamics
>>> Get end-to-end visibility with application monitoring from AppDynamics
>>> Isolate bottlenecks and diagnose root cause in seconds.
>>> Start your free trial of AppDynamics Pro today!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130716/30b4cced/attachment.html>


More information about the Snort-users mailing list