How to configure Snort variables

Snort has many configuration variables and options, but the two most important ones are $HOME_NET and $EXTERNAL_NET....

$HOME_NET is a variable that defines the network or networks you are trying to protect, while $EXTERNAL_NET is the external, untrusted networks to which you are connected. These variables are used in virtually all rules to specify criteria for the source and destination of a packet.

The default of both variables is "any," which means just what it sounds like. Setting $HOME_NET is pretty much a no-brainer. Configure the variable to the network or networks you are trying to protect, as shown in the examples in the snort.conf configuration file.

$EXTERNAL_NET is a little more tricky, and there are two schools of thought concerning its configuration. The first group prefers to leave it set to the default of "any" since that picks up the most events. The second group prefers !$HOME_NET, which means literally anything that is not in $HOME_NET, because this setting cuts down on false positives and lets Snort run a little more efficiently. However, it opens up the possibility of missing an internal-to-internal (i.e. $HOME_NET to $HOME_NET) attack. Since 60 to 80 % of all attacks are internal, depending on what survey you read, I recommend leaving $EXTERNAL_NET set to any. Also, never set $EXTERNAL_NET to !$HOME_NET if $HOME_NET is set to any, since that effectively sets $EXTERNAL_NET to nothing.

There are a number of other variables that define DNS, SMTP, HTTP, SQL, Telnet, SNMP and AIM servers, and HTTP, SHELLCODE and Oracle ports. The default for all server variables is to set them to $HOME_NET, which is another reason to set that correctly. This will work pretty well, but you may find you can cut down false positives by setting these variables more specifically. You should verify the port variables in case you are using non-standard ports, but you can otherwise leave them alone.

SNORT INTRUSION DETECTION AND PREVENTION GUIDE

  Introduction
  Why Snort makes IDS worth the time and effort
  How to identify and monitor network ports
  How to handle network design with switches and segments
  Where to place IDS network sensors
  Finding an OS for Snort IDS sensors
  How to determine network interface cards for IDS sensors
  Modifying and writing custom Snort IDS rules
  How to configure Snort variables
  Where to find Snort IDS rules
  How to automatically update Snort rules
  How to decipher the Oinkcode for Snort's VRT rules
  Using IDS rules to test Snort

ABOUT THE AUTHOR: JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source projects including Snort, and has previously worked as an information security consultant and systems engineer.