Well Snort can help detect such traffic, but you have a problem with your
security policy and procedures if people are just showing up and jacking
into the wall and having full access to the network (where is your
addresss???? ) :-)
Also, what is $EXTERNAL_NET set to? probably "any" in the snort.conf?
And why are you using ALL of the private addresses? you should be using a
variable that is something like
var HOME_NET [10.111.0.0/16]
var EVIL_NET !$HOME_NET
More then likely, an on internal network, your sig will fire on every packet
:-)
Ok finchy, your turn.
Shirkdog
http://www.shirkdog.us
From: "Nick Baronian" <kvetch@gmail.com>
To: "snort-users@lists.sourceforge.net" <snort-users@lists.sourceforge.net>
Subject: [Snort-users] Question about !HOME_NET
Date: Wed, 11 Oct 2006 10:47:00 -0400
I am trying to setup a simple rule but it doesn't appear to be
working. We have has some issues with people plugging in their laptops
to our corp. network. Some of these folks have static addresses and
try to send some traffic outbound, while the traffic gets dropped at a
firewall I want to log and alert on any non Home_NET IP's trying to go
out. I thought it would be fairly easy just set home_net to something
like
var HOME_NET [172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] and var HOME_NET
[172.0.0.0/8,10.0.0.0/8,192.168.0.0/16] then comment out other rules
in snort.conf except local.rule.
In local rule set it to something like
alert ip !HOME_NET any -> $EXTERNAL_NET any (msg:"nonwork routable IP
detected";)
I then start snort like
snort -e -i eth1 -l /u01/snort -s -D &
When I look at the log down /u01/snort it lists tons of IP's going
from an IP like 10.30 or 172.x.x.x going to some random IP. How do I
get my rules to only log the packets for non-Home_Net IP's trying to
talk to other non-Home_Net IP's?
Thanks,
Nick
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
_________________________________________________________________
Be seen and heard with Windows Live Messenger and Microsoft LifeCams
http://clk.atdmt.com/MSN/go/msnnkwme0020000001msn/direct/01/?href=http://www.microsoft.com/hardware/digitalcommunication/default.mspx?locale=en-us&source=hmtagline
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
