No subject


Thu Nov 23 16:36:19 EST 2017


installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------_=_NextPart_001_01C44A32.43C6AFE0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2656.60">
<TITLE>RE: [Snort-users] HOME_NET question</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Hi Seth,</FONT>
</P>

<P>        <FONT SIZE=3D2>Making the ass=
umption that you are spanning all the DMZ and VLAN traffic to your Snort se=
nsor you should be good.  I would also recommend setting your server s=
pecific IPs in the HTTP_SERVERS, SMTP_SERVERS, ect options it really helps =
to reduce the false positives.</FONT></P>

<P>        <FONT SIZE=3D2>If you want to=
 get really fancy you can declare your DMZ and VLAN subnets as a new variab=
le and then set HOME_NET as that variable and EXTERNAL_NET as the 'not' of =
the variable.  Then take the new variable you created and use it as th=
e source in sigs that you disable due to too many false positives such as t=
he various worm sigs.  This way you will have snort watching your own =
network for infections and if you see a worm sig (or others) alert you, you=
 know you have a problem and not just noise off the net.</FONT></P>
<BR>

<P><FONT SIZE=3D2>An example for you:</FONT>
</P>

<P><FONT SIZE=3D2>var DMZ_NET [192.168.1.0/24]</FONT>
<BR><FONT SIZE=3D2>var HOME_NET $DMZ_NET</FONT>
<BR><FONT SIZE=3D2>var EXTERNAL_NET !DMZ_NET</FONT>
</P>

<P><FONT SIZE=3D2>alert DMZ_NET any -> EXTERNAL_NET any (Some worm sig (=
or other) you modified from the normal snort rules and set in local.rules);=
</FONT></P>

<P><FONT SIZE=3D2>Shawn Truax</FONT>
<BR><FONT SIZE=3D2>Security Specialist</FONT>
<BR><FONT SIZE=3D2>Corporate Security</FONT>
<BR><FONT SIZE=3D2>155 University Ave.</FONT>
<BR><FONT SIZE=3D2>Toronto, Ontario</FONT>
<BR><FONT SIZE=3D2>M5H 3B7</FONT>
<BR><FONT SIZE=3D2>(416)327-1107</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: sart at ...11843... [<A HREF=3D"mailto:sart at ...11911...=
..">mailto:sart at ...11843...</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: June 3, 2004 2:53 PM</FONT>
<BR><FONT SIZE=3D2>To: snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] HOME_NET question</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>I have only one IDS and it is on the DMZ. </FONT>
<BR><FONT SIZE=3D2>For the HOME_NET var do i just put in the subnet of the =
DMZ or do i put in </FONT>
<BR><FONT SIZE=3D2>my VLAN subnets also?</FONT>
<BR><FONT SIZE=3D2>Right now i have the DMZ and my 2 vlan subnets in var HO=
ME_NET and i was </FONT>
<BR><FONT SIZE=3D2>just wondering if that is correct </FONT>
</P>

<P><FONT SIZE=3D2>Lastly, after running snort on the default rule set with =
2.1.2 for a </FONT>
<BR><FONT SIZE=3D2>couple of weeks i finally used oinkmaster to get and use=
 the latest stable </FONT>
<BR><FONT SIZE=3D2>rules.   Now in the past 3 hours i have only g=
otten 3 alerts besides my </FONT>
<BR><FONT SIZE=3D2>self tests and they are all the robot.txt alert from the=
 search engines. </FONT>
<BR><FONT SIZE=3D2>Is this normal for a sensor on a DMZ with a non MS webse=
rver, email </FONT>
<BR><FONT SIZE=3D2>server, and ftp server?   Was i just used to g=
etting all those false </FONT>
<BR><FONT SIZE=3D2>positives from the default ruleset?  It seems so qu=
iet now. </FONT>
</P>

<P><FONT SIZE=3D2>Thank guys, </FONT>
</P>

<P><FONT SIZE=3D2>Seth Art</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>-------------------------------------------------------</=
FONT>
<BR><FONT SIZE=3D2>This SF.Net email is sponsored by the new InstallShield =
X.</FONT>
<BR><FONT SIZE=3D2>From Windows to Linux, servers to mobile, InstallShield =
X is the one</FONT>
<BR><FONT SIZE=3D2>installation-authoring solution that does it all. Learn =
more and</FONT>
<BR><FONT SIZE=3D2>evaluate today! <A HREF=3D"http://www.installshield.com/=
Dev2Dev/0504" TARGET=3D"_blank">http://www.installshield.com/Dev2Dev/0504</=
A></FONT>
<BR><FONT SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or unsubscribe:</F=
ONT>
<BR><FONT SIZE=3D2><A HREF=3D"https://lists.sourceforge.net/lists/listinfo/=
snort-users" TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo=
/snort-users</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=
=3Dsnort-users" TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?l=
ist=3Dsnort-users</A></FONT>
</P>

</BODY>
</HTML>=

------_=_NextPart_001_01C44A32.43C6AFE0--





More information about the Snort-users mailing list