[Snort-users] Doubt about configuration HOME, EXTERNAL.
Morris, Shane (US SSA)
shane.morris at ...11338...
Thu Jun 6 13:00:04 EDT 2013
When you're watching traffic leaving your network you're looking for things like users going to infected sites, CNC, bad domains/IPs, data exfil, etc It's just as important as watching the noise banging off your web servers.
If your net is just the /24 than I think your variables are correct. The rules would header would be HOME_NET -> EXTERNAL_NET. Also Snort default HTTP_PORTS variable includes proxy ports so you can catch your users going to the net through a proxy port.
The best thing to do is run some dumps on your listening port/s and analyze the traffic along with some accurate net diags.
From: Agus [mailto:agus.262 at ...11827...]
Sent: Wednesday, June 05, 2013 9:54 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Doubt about configuration HOME, EXTERNAL.
Any link, tip is appreciated.
2013/6/4 Agus <agus.262 at ...11827...<mailto:agus.262 at ...11827...>>
I have a subnet that connects to a client Network. They asked me to implement an IDS. Si i built snort/snorby/PP
This is an unusual, at least for me, place as i am supposed to monitor the traffic going away from my net to the other, instead of what it is more common that i monitor incoming traffic to my severs.
So my doubt is how should i configure the Network variables.
My net = 10.11.0.0/24<http://10.11.0.0/24> - HOME_NET
Client = !HOME_NET - EXTERNAL_NET
That is the approach i took. the same as if the servers were on my net; but that aint the case as i have the clients/users on my NET, and all services(web, proxy, inet) are on their side. I was thinking on swapping the values.
Thanks for any tip you can provide!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users