Administrator
|
This post was updated on .
The shield is currently using the Open ruleset from Emerging Threats by Proofpoint: https://www.proofpoint.com/us/threat-intelligence-open-source-community
They post a daily ruleset summary so you can see what was added or deleted when your rules update: http://www.proofpoint.com/us/daily-ruleset-update-summary The actual rules are here: https://rules.emergingthreats.net/open/snort-edge/rules/ The rules are changed from alert to drop so the packets are dropped. Here is a new user guide regarding your rules: http://doc.emergingthreats.net/bin/view/Main/NewUserGuide Here is a rulset FAQ showing what is included in the different categories. It's old though as many of the categories have changed: http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ It's mentioned here and around the web that tuning is critical for your ruleset. This keeps out the false positives and keeps your network fast. If you don't have a certain device, product, or application then you should delete those rules. Itus was getting feedback from users and through testing to also see what rules we're breaking things. Since we are doing it ourselves, it's important to watch the logs and collaborate.
Running the latest OpenWrt stable release
|
CONTENTS DELETED
The author has deleted this message.
|
Administrator
|
This post was updated on .
I agree. For bridge mode though it needs to stay on "any" since it's inspecting traffic wan to wan and home is actually your external IP.
Running the latest OpenWrt stable release
|
In reply to this post by Me_3594
Since I'm in Router mode, I'm considering making the edit
ipvar HOME_NET [192.168.100.0/24,10.1.1.0/24,10.10.10.0/24]where 192.168 is the subnet of my modem, 10.1.1 is my access point (wifi router), and 10.10.10.10 is of course the Shield. Similarly then, I should be able to change ipvar EXTERNAL_NET anyto ipvar EXTERNAL_NET !$HOME_NETAny issues anyone can spot? Should I be treating the modem subnet as external too?
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Hi
I tried ipvar EXTERNAL_NET !$HOME_NET but shield refused to connect to internet so I put in the ip of router instead all worked, but i'm not sure if this is correct ipvar EXTERNAL_NET 192.168.0.1 roadrunnere42 |
Administrator
|
In reply to this post by Gnomad
On the external it wouldn't break anything but it wouldn't achieve anything either. That would just exclude your IP's on external that you put into the home. Since your LAN isn't on the internet and hidden behind NAT, it would be the same as any.
Running the latest OpenWrt stable release
|
Administrator
|
This post was updated on .
In reply to this post by Roadrunnere42
It didn't work because that syntax would cancel itself out. It's saying external IP's can be anything BUT what is listed in home_net which is ANY. You would need to have something listed in home_net. Also, you basically disabled your rules where you put in your internal IP for your external. You want that to be ANY.
Running the latest OpenWrt stable release
|
In reply to this post by user8446
I take your point, but from the perspective of the router, my access point holds a 10.10.10.X DHCP lease. So I do at least want to exclude the 10.10.10 subnet from the external ruleset. Maybe the below would be more accurate then, just not sure whether the ![10.10.10.0/24] syntax would be exactly correct. ipvar EXTERNAL_NET ![10.10.10.0/24]
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Free forum by Nabble | Edit this page |