[Snort-users] Modifying Rules Works One Direction, but Not T'Other

Doug Burks doug.burks at ...11827...
Sat Nov 29 19:04:07 EST 2014

Replies inline.

On Sat, Nov 29, 2014 at 6:35 PM, colony.three
<colony.three at ...17037...> wrote:
> On Sat, Nov 29, 2014 at 3:22 PM, colony.three
> wrote:
>>> These variables are not defined in the bash environment and that's why
>>> your tests are showing up blank. These variables are defined in your
>>> snort.conf file. Please see /etc/nsm/HOSTNAME-INTERFACE/snort.conf.
>>> In that case the rule-update script can not work correctly.
>> Why do you say that?
> In order for the script to invoke the rule modifications I've made, it has
> to know which IPs are local and which are not.  It does not know this.

No, rule-update just runs PulledPork and it does not need to know what
these variables are.

>>> I noticed /etc/nsm/hex-eth0/snort.conf, but I couldn't find anywhere in
>>> the
>>> documentation nor videos where it says I need to modify that for my
>>> network.
>>Please see Step #1 on the PostInstallation page on our Wiki:
> https://code.google.com/p/security-onion/wiki/PostInstallation
> Ok I see.  Looks like I never made it to this page.
>>> And it doesn't define EXTERNAL_NET correctly anyway; It sets it to 'any',
>>> when it should be !$HOME_NET.
>>Some organizations want/need EXTERNAL_NET to be 'any'.
>> Also note that Snort's default snort.conf has EXTERNAL_NET set to 'any':
> https://labs.snort.org/snort/2970/snort.conf
>> You can certainly set it to !$HOME_NET if that's what you'd like to do.
> Suggestion to all:  Doesn't make sense to set EXTERNAL_NET=any.

That may be true for your environment.  But there are environments
where EXTERNAL_NET=any makes sense.  Not all environments are the
same.  That's why it's a variable, so that folks can modify it to suit
their environment.

>>> And anyway, I have reason to doubt it is
>>> noticed by SO.
>> If HOME_NET and EXTERNAL_NET are defined properly in the correct
> snort.conf file, then Snort will read those variables correctly.
> I will take your word for it Doug, although I have no other evidence.
> Apparently there's some kind of magick going on.
>> This Snort mailing list is public and is therefore indexed by Google,
> so there's really not much difference between exposing your email
> address to this Snort mailing list or the Security Onion mailing list.
> Suffice it to say that there is a difference in class with G**gle, between
> 'external sources' and 'internal sources'.  Clearly Doug, you are all about
> G**gle.  But you've made a fine product, and it is not my place to
> proselytize about G**gle to you.  But some day you will know.

I fully understand the concerns that folks have about Google.  I'll
repeat my previous statement that you sending an email to this Snort
mailing list is still public info and still indexed by Google.

If you have further questions about Security Onion, please send an
email to security-onion at ...14071... and, again, you can use your
existing email account.

Doug Burks
Need Security Onion Training or Commercial Support?
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

More information about the Snort-users mailing list