Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 040416.html (Request Expert snort.org Support)

RE: [Snort-sigs] ftp rules question - why only external to intern al?

From: <Jerry.L.Rose(at)saj02.usace.army.mil>
Date: Fri Apr 25 2003 - 13:15:06 EDT


Thanks to all for the responses. I agree that the rules are easily tuned, and that I can change them for my use as I see fit. I guess what I don't understand is why the out-of-the-box rule isn't set to any > any. I imagine there would be very few false positives with that configuration. The implication is a trust of internal users with the standard configuration. The benifits of using HOME_NET for ignoring outbound traffic generating unwanted alerts, say for example http traffic from web surfing is important. What I don't understand is why, for example if an internal user tried an attempted password or shadow file upload/download, anyone running NIDS wouldn't want to see that.

-----Original Message-----
From: Brian [mailto:bmc@snort.org]
Sent: Friday, April 25, 2003 1:09 PM
To: Rose, Jerry L
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] ftp rules question - why only external to internal?

On Fri, Apr 25, 2003 at 09:35:29AM -0500, Jerry.L.Rose@saj02.usace.army.mil wrote:
> I see there are several "bad" sections in the ftp rules ("bad files"
section
> shown below). My question is why limit these to External network to and
from
> internal network? Wouldn't it be better to change them to any network to
any
> network? For example, if an internal user (located on the HOME_NET)
> attempted to download a "bad" file from any ftp server I'd like to know
> about it. What am I missing here?

This is a user specific configuration. Again, like most of the rules, you probably want to run setting EXTERNAL_NET and HOME_NET to any.

Thats a policy thing. You decide how you want to run it. We keep the rules so its easy to tune one way or the other rapidly.

-brian


This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Apr 25 15:05:46 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library