OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Erek Adams (erektheadamsfamily.net)
Date: Thu Nov 01 2001 - 13:23:29 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Thu, 1 Nov 2001, Merrick, Gary wrote:

    > Yes, this is a total newbie question, but I figured this is the right
    > place to ask it.

    No, it's not. We flog all newbies with streams of Electrons until they bow
    down to the power of Snort.

    ;-)

    > What is the purpose of the HOME_NET and EXTERNAL_NET variables that are
    > defined in snort.conf? Does it change the formatting of the alerts? Or
    > perhaps turn off the scanning of packets originating from an internal
    > network? Or something else?

    Answer D) A mixture. :)

    > I would imagine this would be a fairly straightforward process to define
    > them if one had an extremely simple network architecture. But my
    > ultimate aim is to be able to monitor 3 or 4 networks. In such a case,
    > what is considered "home" and what is "external"?

    HOME_NET and EXTERNAL_NET are basically exactly what they say. Anything
    inside a range that you wish to call 'home' should be defined as HOME_NET.
    This defines your local net(s). Your 'area of watching' you could say.

    EXTERNAL_NET is just the opposite. It's where you want to watch for things
    coming from. If you go to the rules and look you'll see a lot of rules that
    break down to something like "If a packet comes in from EXTERNAL_NET and is
    going to HOME_NET and has these patterns/flags/content, then alert someone."

    My suggestion:

      var HOME_NET 10.1.1.0/24 (Or whatever your range(s) are.)
      var EXTERNAL_NET !$HOME_NET (Everything but HOME_NET)

    Here's a FAQ link for what you want to do with the multi subnets:

    http://www.snort.org/docs/faq.html#3.3

    > Any guidance would be much appreciated.

    http://www.snort.org/
    http://www.snort.org/docs/faq.html (Slightly older version)
    http://www.theadamsfamily.net/~erek/snort/FAQ (Copy I yanked from CVS)
    http://www.snort.org/docs/writing_rules/
    http://www.snort.org/docs/SnortUsersManual.pdf

    And of course: The Source Code! :)

    Hope that helps!

    -----
    Erek Adams
    Nifty-Type-Guy
    TheAdamsFamily.Net

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users