Re: [security-onion] Re: $HOME_NET vs $EXTERNAL_NET
1,216 views
Skip to first unread message
Jeremy Hoel
Apr 25, 2013, 8:01:41 PM4/25/13
to securit...@googlegroups.com
You can define $EXTERNAL_NET to not include $HOME_NET.. ie:
ipvar EXTERNAL_NET !$HOME_NET
But that removes snorts ability to see traffic from HOME_NET ->
HOME_NET.. which, if you have other tools working on the inside,
might not be a problem.
It depends on what you are looking for, looking at and where snort sits.
This is the wonderful part of snort.. the tweaking.
AS for the noob questions.. Search the Snort mailing list here:
http://seclists.org/snort/
On Thu, Apr 25, 2013 at 4:49 PM, controlling chaos
<contro...@inbox.com> wrote:
> ugh. I was afraid of that.
>
> So, noob question number 2: what's the point of having $HOME_NET in this rule, since the rule will always trigger an event?
>
> noobq2b:
>
> wouldn't
>
> alert tcp $EXTERNAL_NET any -> any 1521
>
> be more useful, since if something is targeting an ip that is not present, that would be of interest? We're going to be triggering an event for existing HOME_NET ip's as the rule is written, which would seem to be to be counterproductive.
>
> Or is my head way up there and I'm clearly not understanding how rules operate?
>
> OK, better question: is there a snort noobq mailing list or educational forum? The snort-users seems pretty far past simple noob questions. And I understand this is not really the proper list for general snort questions.
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
ipvar EXTERNAL_NET !$HOME_NET
But that removes snorts ability to see traffic from HOME_NET ->
HOME_NET.. which, if you have other tools working on the inside,
might not be a problem.
It depends on what you are looking for, looking at and where snort sits.
This is the wonderful part of snort.. the tweaking.
AS for the noob questions.. Search the Snort mailing list here:
http://seclists.org/snort/
On Thu, Apr 25, 2013 at 4:49 PM, controlling chaos
<contro...@inbox.com> wrote:
> ugh. I was afraid of that.
>
> So, noob question number 2: what's the point of having $HOME_NET in this rule, since the rule will always trigger an event?
>
> noobq2b:
>
> wouldn't
>
> alert tcp $EXTERNAL_NET any -> any 1521
>
> be more useful, since if something is targeting an ip that is not present, that would be of interest? We're going to be triggering an event for existing HOME_NET ip's as the rule is written, which would seem to be to be counterproductive.
>
> Or is my head way up there and I'm clearly not understanding how rules operate?
>
> OK, better question: is there a snort noobq mailing list or educational forum? The snort-users seems pretty far past simple noob questions. And I understand this is not really the proper list for general snort questions.
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Jeremy Hoel
Apr 25, 2013, 8:11:25 PM4/25/13
to securit...@googlegroups.com
And as another note.. if you normally want External to be ANY but for
some rules, you want External to be !Home_net you can make those
little changes with pulled pork and the modifysid.conf file.
ie:
<rule_id> "$EXTERNAL_NET" "!$HOME_NET"
some rules, you want External to be !Home_net you can make those
little changes with pulled pork and the modifysid.conf file.
ie:
<rule_id> "$EXTERNAL_NET" "!$HOME_NET"
Reply all
Reply to author
Forward
0 new messages