No subject

Thu Nov 23 16:36:19 EST 2017

installation-authoring solution that does it all. Learn more and
evaluate today!
Snort-users mailing list
Snort-users at
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2656.60">
<TITLE>RE: [Snort-users] HOME_NET question</TITLE>

<P><FONT SIZE=3D2>Hi Seth,</FONT>

<P>        <FONT SIZE=3D2>Making the ass=
umption that you are spanning all the DMZ and VLAN traffic to your Snort se=
nsor you should be good.  I would also recommend setting your server s=
pecific IPs in the HTTP_SERVERS, SMTP_SERVERS, ect options it really helps =
to reduce the false positives.</FONT></P>

<P>        <FONT SIZE=3D2>If you want to=
 get really fancy you can declare your DMZ and VLAN subnets as a new variab=
le and then set HOME_NET as that variable and EXTERNAL_NET as the 'not' of =
the variable.  Then take the new variable you created and use it as th=
e source in sigs that you disable due to too many false positives such as t=
he various worm sigs.  This way you will have snort watching your own =
network for infections and if you see a worm sig (or others) alert you, you=
 know you have a problem and not just noise off the net.</FONT></P>

<P><FONT SIZE=3D2>An example for you:</FONT>


<P><FONT SIZE=3D2>alert DMZ_NET any -> EXTERNAL_NET any (Some worm sig (=
or other) you modified from the normal snort rules and set in local.rules);=

<P><FONT SIZE=3D2>Shawn Truax</FONT>
<BR><FONT SIZE=3D2>Security Specialist</FONT>
<BR><FONT SIZE=3D2>Corporate Security</FONT>
<BR><FONT SIZE=3D2>155 University Ave.</FONT>
<BR><FONT SIZE=3D2>Toronto, Ontario</FONT>
<BR><FONT SIZE=3D2>(416)327-1107</FONT>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: sart at ...11843... [<A HREF=3D"mailto:sart at ...11911...=
..">mailto:sart at ...11843...</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: June 3, 2004 2:53 PM</FONT>
<BR><FONT SIZE=3D2>To: snort-users at</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] HOME_NET question</FONT>

<P><FONT SIZE=3D2>I have only one IDS and it is on the DMZ. </FONT>
<BR><FONT SIZE=3D2>For the HOME_NET var do i just put in the subnet of the =
DMZ or do i put in </FONT>
<BR><FONT SIZE=3D2>my VLAN subnets also?</FONT>
<BR><FONT SIZE=3D2>Right now i have the DMZ and my 2 vlan subnets in var HO=
ME_NET and i was </FONT>
<BR><FONT SIZE=3D2>just wondering if that is correct </FONT>

<P><FONT SIZE=3D2>Lastly, after running snort on the default rule set with =
2.1.2 for a </FONT>
<BR><FONT SIZE=3D2>couple of weeks i finally used oinkmaster to get and use=
 the latest stable </FONT>
<BR><FONT SIZE=3D2>rules.   Now in the past 3 hours i have only g=
otten 3 alerts besides my </FONT>
<BR><FONT SIZE=3D2>self tests and they are all the robot.txt alert from the=
 search engines. </FONT>
<BR><FONT SIZE=3D2>Is this normal for a sensor on a DMZ with a non MS webse=
rver, email </FONT>
<BR><FONT SIZE=3D2>server, and ftp server?   Was i just used to g=
etting all those false </FONT>
<BR><FONT SIZE=3D2>positives from the default ruleset?  It seems so qu=
iet now. </FONT>

<P><FONT SIZE=3D2>Thank guys, </FONT>

<P><FONT SIZE=3D2>Seth Art</FONT>

<P><FONT SIZE=3D2>-------------------------------------------------------</=
<BR><FONT SIZE=3D2>This SF.Net email is sponsored by the new InstallShield =
<BR><FONT SIZE=3D2>From Windows to Linux, servers to mobile, InstallShield =
X is the one</FONT>
<BR><FONT SIZE=3D2>installation-authoring solution that does it all. Learn =
more and</FONT>
<BR><FONT SIZE=3D2>evaluate today! <A HREF=3D"
Dev2Dev/0504" TARGET=3D"_blank"></=
<BR><FONT SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or unsubscribe:</F=
snort-users" TARGET=3D"_blank">
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
=3Dsnort-users" TARGET=3D"_blank">



More information about the Snort-users mailing list