Snort has many configuration variables and options, but the two most important ones are $HOME_NET and $EXTERNAL_NET.
$HOME_NET is a variable that defines the network or networks you are trying to protect, while $EXTERNAL_NET is the external, untrusted networks to which you are connected. These variables are used in virtually all rules to specify criteria for the source and destination of a packet.
The default of both variables is "any," which means just what it sounds like. Setting $HOME_NET is pretty much a no-brainer. Configure the variable to the network or networks you are trying to protect, as shown in the examples in the snort.conf configuration file.
There are a number of other variables that define DNS, SMTP, HTTP, SQL, Telnet, SNMP and AIM servers, and HTTP, SHELLCODE and Oracle ports. The default for all server variables is to set them to $HOME_NET, which is another reason to set that correctly. This will work pretty well, but you may find you can cut down false positives by setting these variables more specifically. You should verify the port variables in case you are using non-standard ports, but you can otherwise leave them alone.
SNORT INTRUSION DETECTION AND PREVENTION GUIDE
Why Snort makes IDS worth the time and effort
How to identify and monitor network ports
How to handle network design with switches and segments
Where to place IDS network sensors
Finding an OS for Snort IDS sensors
How to determine network interface cards for IDS sensors
Modifying and writing custom Snort IDS rules
How to configure Snort variables
Where to find Snort IDS rules
How to automatically update Snort rules
How to decipher the Oinkcode for Snort's VRT rules
Using IDS rules to test Snort
ABOUT THE AUTHOR:
|JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.|