RE: [Snort-users] rules and the EXTERNAL_NET variable
This is a discussion on RE: [Snort-users] rules and the EXTERNAL_NET variable within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C3B470.9FDE1DAE Content-Type: text/plain; charset="us-ascii&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-26-2003
|
|||
|
|||
RE: [Snort-users] rules and the EXTERNAL_NET variable
This is a multi-part message in MIME format.
------_=_NextPart_001_01C3B470.9FDE1DAE Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable ________________________________ From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of adam_peterson@splwg.com Sent: Wednesday, November 26, 2003 3:47 PM To: snort-users@lists.sourceforge.net Subject: [Snort-users] rules and the EXTERNAL_NET variable =09 =09 I've now defined the EXTERNAL_NET variable as !$HOME_NET, excluding my defined internal subnets. I have 2 sensors running to compare the results of also having the EXTERNAL_NET set to 'any' and found that, much to my dismay, the vast majority of rules specify EXTERNAL_NET as the source so even though I'm getting far less false-positives with the new/test sensor, I'm also going to potentially miss a virus-based attack on my LANs. It seems as though certain types of attacks, specifically any attack coming from a virus, should not specify the EXTERNAL_NET variable as the source because this means that the EXTERNAL_NET varilable MUST be defined as 'any' or viruses will be missed. =20 =20 What you are talking about is alerts as they apply to *your* network. Only *you* can decide what's appropriate for those. =20 In my case, I chose to disable all worm-type alerts (Slammer, Welchia, Code Red, etc.) and write custom alerts that change the flow from EXT->HOME to HOME->EXT, because *I* don't care about worms that someone else has. I care about worms that we have. Others may think differently. =20 if you're using EXTERNAL_NET to mean what, again IMHO, should mean? It's the same for Nimda except there isn't an outbound rule for Nimda so more could be missed. It seems it would make more sense this way but maybe my configuration is unique? Or maybe it's just Wednesday afternoon before a 4-day weekend... =20 =20 *I* think EXTERNAL_NET should mean "not on my network", so I chose to define it as !$HOME_NET. Others may disagree. =20 Should I expect to customize my rules to this level of detail if I expect to seriously limit the amount of false-positives? I've always just disabled as many rules that cause false-positives as possible but now I'm running into rules that I can't in my right mind disable. Maybe I'm just reaching the next step in customization? I could really use a sanity check before going through every rule. =20 =20 Yes, I think what you're running in to is that stage where you have to start creating customized rules that provide the kind of information that *you* want to see. I think making EXTERNAL_NET =3D !$HOME_NET makes eminently good sense, but as you point out that makes some rules "blind" to internal problems. So, I chose to create special rules for those. In most cases I simply took an existing rule and swapped $EXTERNAL_NET and $HOME_NET *in that rule*, so that I would see internal problems going out of my network. I then commented out the "default" rule, because I don't care about, for example, someone who has Code Red that is "attacking" my network.=20 =09 =09 Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/=20 ------_=_NextPart_001_01C3B470.9FDE1DAE Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dus-ascii"> <META content=3D"MSHTML 6.00.2800.1276" name=3DGENERATOR></HEAD> <BODY><FONT face=3DArial color=3D#0000ff size=3D2></FONT><BR> <BLOCKQUOTE=20 style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px = solid; MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft> <HR tabIndex=3D-1> <FONT face=3DTahoma size=3D2><B>From:</B> = snort-users-admin@lists.sourceforge.net=20 [mailto:snort-users-admin@lists.sourceforge.net] <B>On Behalf Of=20 </B>adam_peterson@splwg.com<BR><B>Sent:</B> Wednesday, November 26, = 2003 3:47=20 PM<BR><B>To:</B> snort-users@lists.sourceforge.net<BR><B>Subject:</B>=20 [Snort-users] rules and the EXTERNAL_NET variable<BR></FONT><BR></DIV> <DIV></DIV> <DIV><BR><FONT face=3DArial><FONT size=3D2>I've now defined the = EXTERNAL_NET=20 variable as !$HOME_NET, excluding my defined internal subnets. I = have 2=20 sensors running to compare the results of also having the EXTERNAL_NET = set to=20 'any' and found that, much to my dismay, the vast majority of rules = specify=20 EXTERNAL_NET as the source so even though I'm getting far less = false-positives=20 with the new/test sensor, I'm also going to potentially miss a = virus-based=20 attack on my LANs. It seems as though certain types of attacks,=20 specifically any attack coming from a virus, should not specify the=20 EXTERNAL_NET variable as the source because this means that the = EXTERNAL_NET=20 varilable MUST be defined as 'any' or viruses will be = missed. <SPAN=20 class=3D585124922-26112003><FONT=20 color=3D#0000ff> </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=3DArial><FONT size=3D2><SPAN=20 class=3D585124922-26112003></SPAN></FONT></FONT> </DIV> <DIV><FONT face=3DArial><FONT size=3D2><SPAN = class=3D585124922-26112003><FONT=20 color=3D#0000ff>What you are talking about is alerts as they apply to = *your*=20 network. Only *you* can decide what's appropriate for=20 those.</FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=3DArial><FONT size=3D2><SPAN=20 class=3D585124922-26112003></SPAN></FONT></FONT> </DIV> <DIV><FONT face=3DArial><FONT size=3D2><SPAN = class=3D585124922-26112003><FONT=20 color=3D#0000ff>In my case, I chose to disable all worm-type alerts = (Slammer,=20 Welchia, Code Red, etc.) and write custom alerts that change the flow = from=20 EXT->HOME to HOME->EXT, because *I* don't care about worms = that=20 someone else has. I care about worms that we have. Others = may=20 think differently.</FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=3DArial><FONT size=3D2><SPAN=20 class=3D585124922-26112003> </SPAN></FONT></FONT><BR><FONT = face=3Dsans-serif=20 size=3D2>if you're using EXTERNAL_NET to mean what, again IMHO, should = mean?=20 It's the same for Nimda except there isn't an outbound rule for = Nimda so=20 more could be missed. It seems it would make more sense this way = but=20 maybe my configuration is unique? Or maybe it's just Wednesday = afternoon=20 before a 4-day weekend...</FONT> <SPAN = class=3D585124922-26112003><FONT=20 face=3DArial color=3D#0000ff size=3D2> </FONT></SPAN></DIV> <DIV><SPAN class=3D585124922-26112003><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D585124922-26112003><FONT face=3DArial = color=3D#0000ff size=3D2>*I*=20 think EXTERNAL_NET should mean "not on my network", so I chose to = define it as=20 !$HOME_NET. Others may disagree.</FONT></SPAN></DIV> <DIV><SPAN class=3D585124922-26112003> </SPAN><BR><FONT = face=3Dsans-serif=20 size=3D2>Should I expect to customize my rules to this level of detail = if I=20 expect to seriously limit the amount of false-positives? I've = always=20 just disabled as many rules that cause false-positives as possible but = now I'm=20 running into rules that I can't in my right mind disable. Maybe = I'm just=20 reaching the next step in customization? I could really use a = sanity=20 check before going through every rule.</FONT> <SPAN=20 class=3D585124922-26112003><FONT face=3DArial color=3D#0000ff=20 size=3D2> </FONT></SPAN></DIV> <DIV><SPAN class=3D585124922-26112003><FONT face=3DArial = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D585124922-26112003><FONT face=3DArial = color=3D#0000ff size=3D2>Yes,=20 I think what you're running in to is that stage where = you have to=20 start creating customized rules that provide the kind of = information=20 that *you* want to see. I think making EXTERNAL_NET =3D = !$HOME_NET makes=20 eminently good sense, but as you point out that makes some rules = "blind" to=20 internal problems. So, I chose to create special rules for = those. =20 In most cases I simply took an existing rule and swapped $EXTERNAL_NET = and=20 $HOME_NET *in that rule*, so that I would see internal problems = going out=20 of my network. I then commented out the "default" rule, because = I don't=20 care about, for example, someone who has Code Red that is "attacking" = my=20 network.</FONT> </SPAN><BR><BR><FONT face=3Dsans-serif = size=3D2><!-- Converted from text/plain format --> <P><FONT size=3D2>Paul Schmehl (pauls@utdallas.edu)<BR>Adjunct = Information=20 Security Officer<BR>The University of Texas at Dallas<BR>AVIEN = Founding=20 Member<BR><A=20 = href=3D"http://www.utdallas.edu/~pauls/">http://www.utdallas.edu/~pauls/<= /A>=20 </FONT></P></FONT></DIV></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C3B470.9FDE1DAE-- ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
