Hosting Provided By

RE: [Snort-sigs] ftp rules question - why only external to intern al?

From: Matt Kettler <mkettler(at)evi-inc.com>
Date: Fri Apr 25 2003 - 17:53:25 EDT

At 12:15 PM 4/25/2003 -0500, Jerry.L.Rose@saj02.usace.army.mil wrote:
>Thanks to all for the responses. I agree that the rules are easily tuned,

In general the paradigm of the default ruleset is to watch for attacks from the external net to the internal net. Note that there's no strict rule as to what "internal" and "external" need to be defined as in terms of physical machines.

If you really want to watch for outbound attacks as well as inbound ones, rather than tuning individual rules, you should just consider setting external_net and internal_net both to "any". The same argument you make about this rule applies to pretty much EVERY rule in the ruleset.

The drawback of using "any" for home and external is that the snort rule takes longer to run, but does let you watch for the inside network attacking outside machines. This means it has to inspect all FTP traffic, not just connections to a server within HOME_NET, which is a lot more overhead.

I think the best guideline is to set HOME_NET to the list of machines you want to watch for attacks, and EXTERNAL_NET to the list of machines you check as sources of attack. Pick the minimal set you can for each category to reduce CPU overhead and false alerts, or pick any/any if you have CPU to spare and don't mind extra alerts.

Note that using the above concept means that in some cases your "EXTERNAL_NET" becomes the local LAN, and the HOME_NET is everything else on the internet. A good example where this might apply (depending on network specifics) is a public-access lab at a college campus. Of course, you might actually use an any/any configuration here too, depending on how the firewall is configured.

Overall I'd say it's generally a bad idea to try to enforce a particular paradigm at the rule level.... leave that up to the var definitions. This is where someone can configure snort to watch for inbound attacks, outbound attacks, or both, and do so without having to have the default snort ruleset hacked up.

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Apr 25 18:29:42 2003

This message: [ Message body ]
Next message: Christophe VG: "[Snort-sigs] logging session using tagging"
Maybe in reply to: L. Christopher Luther: "RE: [Snort-sigs] ftp rules question - why only external to intern al?"
In reply to Jerry.L.Rose(at)saj02.usace.army.mil: "RE: [Snort-sigs] ftp rules question - why only external to intern al?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT

Do you need help?