Snort mailing list archives
Reversing Snort
From: "Terry Schmidt" <terry () nycwireless net>
Date: Mon, 11 Jun 2001 14:16:50 -0400
I'm working with the free wireless communities (www.seattlewireless.net www.personaltelco.net www.bawug.org www.nycwireless.net) to add IDS functions to the Access Point Gateway machines. One of the problems that we face is people trying to do illegal and abusive activities on this free public network, and trying to prevent this without making the network difficult to use. What we are currently experimenting with using Snort on the Access Point Gateway, and reversing the rules to watch the outgoing traffic, instead of the incoming traffic for "bad traffic". I'm currently using 982 Snort rules. After the testing is done, we will add the functionality of Guardian to the firewall rules, to shut down abusive users upon detection. So far it looks like Snort will fill the need perfectly, but detecting "bad traffic" and shutting down that IP address (with Guardian). Some of the issues that have come up: 1. False Positives on Port Scan Detection - What is the ideal setting for the Port Scan Preprocessor to not catch any false positives, but still catch people doing port scans. I currently have it set as (where $HOME_NET = ANY): preprocessor portscan: $HOME_NET 10 3 portscan.log and this gives less false positives than the default "4 3" setting, but still gives false positives. 2. Rule set to use for outgoing - I've been trying to narrow down what rules set should be used for this type of environment, reducing false positives, such as 'WEB-MISC ICQ Webfront HTTP DOS', 'WEB-IIS view source via translate header'. Does anyone have any recommendations on how to narrow down the rules to be used on this type of installation? My current thoughts are just to drop a snort box on a network with 'good' user traffic, and comment out all the rules that give false positives. Also if anyone has any advice or comments on using Snort for this purpose, please let me know. Thanks for any help in advance, --Terry www.nycwireless.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Reversing Snort Terry Schmidt (Jun 11)