Hey everyone,

I have a snort sensor placed at various subnets on my network, when I run a metasploit or nmap from a different subnet to another, snort alerts, however when I run it on a target on the same subnet it doesn’t alert at all, it just alerted to metasploit going to the web to update. I know the reasoning is most likely because in my snort conf file I have the HOME_NET set correctly to the right subnet and not using ANY, I’m pretty sure that this is why it isn’t alerting. However my question to you all is how do you deal with this? I mean for my purposes I have firewalls blocking inbound traffic, but I also have snort sensors watching inbound and outbound traffic and all my different subnets, but isn’t the main point of having an IDS to see if anyone is attacking you internally? I’d rather know that someone breached my network and is running metasploit or nmap internally and trying to hack my servers, because that is more likely than someone getting in from outside, they’re most likely going to get in and use a local address to investigate my network. Please correct me if i’m wrong?

I just went through about 4 months of testing and tuning my snort sensors but would like to know and prevent someone from rooting me internally. THANKS!!

This is a question of trust. You’ve effectively configured snort to trust HOME_NET. For some of the rules that probably a good idea because it reduces some noise. However, for other rules you don’t want to trust HOME_NET. In fact, you are correct in expecting that the most dangerous activities will be from the inside.

First, test your hypothesis and set HOME_NET to exclude the network where you have installed metasploit. Run metasploit and confirm that snort detects it as expected.

Second, investigate the noise level when you set HOME_NET to ANY. This is the more secure configuration.

Now depending on the noise level you might choose to be selective about which rules reference HOME_NET and which rules are always using ANY.

Thank you mbatcatbird, I really appreciate it, i’ll start out by setting the smaller subnets to ANY and use my threshold file accordingly to filter out the noise and eventually i’ll move it to my more heavier traffic networks. More work, oye!! But thank you for clarifying, just wanted to know why it wasn’t really detecting when i was exploiting ont he same subnet, now I know! I’m most worried about rooting and exploits coming from within, so i will be switching all my home nets to anys! Thank you!!