
How to configure Snort variables
JP Vossen, CISSP
Rating: -3.60- (out of 5)

|
Snort has many configuration variables and options, but the two most important ones are $HOME_NET and $EXTERNAL_NET. $HOME_NET is a variable that defines the network or networks you are trying to protect, while $EXTERNAL_NET is the external, untrusted networks to which you are connected. These variables are used in virtually all rules to specify criteria for the source and destination of a packet.
The default of both variables is "any," which means just what it sounds like. Setting $HOME_NET is pretty much a no-brainer. Configure the variable to the network or networks you are trying to protect, as shown in the examples in the snort.conf configuration file.
$EXTERNAL_NET is a little more tricky, and there are two schools of thought concerning its configuration. The first group prefers to leave it set to the default of "any" since that picks up the most events. The second group ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
');
// -->

prefers !$HOME_NET, which means literally anything that is not in $HOME_NET, because this setting cuts down on false positives and lets Snort run a little more efficiently. However, it opens up the possibility of missing an internal-to-internal (i.e. $HOME_NET to $HOME_NET) attack. Since 60 to 80 % of all attacks are internal, depending on what survey you read, I recommend leaving $EXTERNAL_NET set to any. Also, never set $EXTERNAL_NET to !$HOME_NET if $HOME_NET is set to any, since that effectively sets $EXTERNAL_NET to nothing.
There are a number of other variables that define DNS, SMTP, HTTP, SQL, Telnet, SNMP and AIM servers, and HTTP, SHELLCODE and Oracle ports. The default for all server variables is to set them to $HOME_NET, which is another reason to set that correctly. This will work pretty well, but you may find you can cut down false positives by setting these variables more specifically. You should verify the port variables in case you are using non-standard ports, but you can otherwise leave them alone.
ABOUT THE AUTHOR:
[IMAGE]JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source
projects including Snort, and has previously worked as an information security consultant and systems engineer.
 |

|
|
 |
|
 |