[Snort-users] Doubt about configuration HOME, EXTERNAL.

Agus agus.262 at ...11827...
Sun Jun 9 18:41:58 EDT 2013


Thanks Shane for your time! Will try to do some pcaps..


2013/6/6 Morris, Shane (US SSA) <shane.morris at ...11338...>

>  Agus,****
>
> ** **
>
> When you’re watching traffic leaving your network you’re looking for
> things like users going to infected sites, CNC, bad domains/IPs, data
> exfil, etc It’s just as important as watching the noise banging off your
> web servers.****
>
> ** **
>
> If your net is just the /24 than I think your variables are correct. The
> rules would header would be HOME_NET -> EXTERNAL_NET. Also Snort default
> HTTP_PORTS variable includes proxy ports so you can catch your users going
> to the net through a proxy port.****
>
> ** **
>
> The best thing to do is run some dumps on your listening port/s and
> analyze the traffic along with some accurate net diags.****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Agus [mailto:agus.262 at ...11827...]
> *Sent:* Wednesday, June 05, 2013 9:54 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Doubt about configuration HOME, EXTERNAL.****
>
> ** **
>
> Any link, tip is appreciated.****
>
> ** **
>
> Thanks****
>
> ** **
>
> 2013/6/4 Agus <agus.262 at ...11827...>****
>
> Hi guys,****
>
> ** **
>
> I have a subnet that connects to a client Network. They asked me to
> implement an IDS. Si i built snort/snorby/PP****
>
> ** **
>
> This is an unusual, at least for me, place as i am supposed to monitor the
> traffic going away from my net to the other, instead of what it is more
> common that i monitor incoming traffic to my severs.****
>
> ** **
>
> So my doubt is how should i configure the Network variables.****
>
> ** **
>
> My net = 10.11.0.0/24 - HOME_NET****
>
> Client = !HOME_NET - EXTERNAL_NET****
>
> ** **
>
> That is the approach i took. the same as if the servers were on my net;
> but that aint the case as i have the clients/users on my NET, and all
> services(web, proxy, inet) are on their side. I was thinking on swapping
> the values.****
>
> ** **
>
> Thanks for any tip you can provide!****
>
> Cheers****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130609/79337330/attachment.html>


More information about the Snort-users mailing list