Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] EXTERNAL_NET: any vs !$HOME_NET

from [Hari Sekhon] Network Security [Permanent Link]
Subject: Re: [Snort-users] EXTERNAL_NET: any vs !$HOME_NET
Date: Mon, 1 Jan 2007 23:41:16 +0000 
Ok, so I should split the intrusion detection into one for external by
the borders and one or more for internal, but this still leaves me
with the same problem that I want to detect as many things as possible
as long as they aren't false alerts, again I would have to have
EXTERNAL_NET as any and then have a huge amount of normal traffic for
which I'd have to write pass rules, which is basically where I am
already at.

How many servers do you run snort on, every server, or one or two (in
which case it's not easy to see traffic to other hosts unless you have
a switch that can monitor all ports (which I don't - and don't fully
understand how you could even do this, the combined traffic from all
ports would be much more than a single port monitoring host could
handle). I've taken the web address of

I guess I would have to do a large amount of commenting out of rules
and adding a lot of pass rules for normal network activity (which I
have already had to do and looks like I will have to do much more of)

It seems that the lesser of two evils for a lot of this stuff is to
just blind myself to a lot of things and then hope what's left is
enough.

-h

On 01/01/07, Jason Brvenik <jasonb@sourcefire.com> wrote:



Hari Sekhon wrote:

I've currently got "var EXTERNAL_NET any" in my snort.conf and was
considering making it "var EXTERNAL_NET !$HOME" instead, but looking
at the rules files, it seems that most rules will immediately
disregard any suspicious traffic from your HOME_NET in this case,
which basically blinds you to any internal threats.


Correct. A proper deployment will have systems monitoring external
threats and a different system monitoring internal threats. You could
also run multiple instances of Snort on the same machine with different
interfaces and configurations. This is a less preferred method but often
makes budget happier. You should be aware that bridging an external and
internal network with _any_ device regardless of purpose has a certain
amount of risk involved.



I am also running snort on several servers that are not publicly
accessible (ie port forwards) but want to be able to see malicious or
suspicious traffic from all networks.

The current problem with the EXTERNAL_NET any is that a lot of rules
are throwing up too many false positives and it's very difficult to go
around writing pass rules for every other packet that goes through the
network interface (I exaggerate slightly)


You are asking too much of one system and configuration. If you needs
are more complex and detailed, you should move to a more complex and
detailed configuration.



It's seems a very difficult juggling act to on the one hand stop false
positives and
on the other to not totally negate the worth of the ids by making it too 
loose.


It is until you split the functions up into more manageable chunks.



For example I have stacks of "MS Terminal server request RDP" alerts
coming from machines on my home net. I can see how changing the
EXTERNAL_NET would be a good idea to stop these unless they come from
outside the network, but considering that this also stops most rules
from matching if somebody attacks from a machine within the building
or any remote site connected via vpn (which are included in HOME_NET
and therefore excluded from EXTERNAL_NET)

Anybody got any advise on this?


Create external, internal, VPN, and B2B segments and then monitor each
appropriately. Each zone has a different threat perspective and should
be monitored with different rules and configurations.




--
Hari Sekhon

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-- 
Hari Sekhon

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] EXTERNAL_NET: any vs !$HOME_NET, Jason Brvenik
Next by Date:  Re: [Snort-users] EXTERNAL_NET: any vs !$HOME_NET, Jason Brvenik
Previous by Thread:  Re: [Snort-users] EXTERNAL_NET: any vs !$HOME_NET, Jason Brvenik
Next by Thread:  Re: [Snort-users] EXTERNAL_NET: any vs !$HOME_NET, Jason Brvenik
Indexes:  [Date] [Thread] [Top] [All Lists]