Snort mailing list archives

Re: Eliminating rulesets

From: Phil Wood <cpw () lanl gov>
Date: Sat, 9 Feb 2002 18:11:41 -0700

Hmm,



On Sat, Feb 09, 2002 at 07:26:41PM -0500, Jeff Elkins wrote:

Thanks.

I'll research invert before I repost. Wouldn't want to make someone drink an 
extra beer :)


% dict invert
       v 1: make an inversion (in a musical composition); "here the
            theme is inverted"
       2: turn inside out or upside down [syn: {reverse}]

What I meant to say was fix up a rules file which looks for attacks going
out from your site.  An easy way would be to:

 % sed -e 's/EXTERNAL_NET/XXX_NET/' -e 's/HOME_NET/EXTERNAL_NET/' < web-iis.rules | sed -e 's/XXX_NET/HOME_NET/' > 
inverted-web-iis.rules

But, check the contents of your {EXTERNAL|HOME}_NET variables first.

Also, take another look at the various web alerts that triggered.  You
might see Forbidden or Connection closed ..., etc.

Or, is that another beer...


Jeff


On Saturday 09 February 2002 06:08 pm, you wrote:

On Sat, Feb 09, 2002 at 01:42:42PM -0500, Jeff Elkins wrote:

I'm not trying to promote alcohol usage, but I have a newbie question:

I'm evaluating Snort on a Linux DSL/firewall box that also serves as a
mail server and webserver (Sendmail/Apache).  The boxen inside the
firewall are all Linux as well. I've commented out the Microsoft-specific
rulesets (IIS,Frontpage and Cold Fusion). Other than statistics
gathering, is there any reason I'd want them applied?


You might want to invert them.

I was getting a _bunch_ of IIS alerts before I turned them off, btw.

Thanks,

Jeff Elkins





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Eliminating rulesets Jeff Elkins (Feb 09)
- Sid ? Warrick FitzGerald (Feb 09)
  - Re: Sid ? Ryan Russell (Feb 09)
    - Re: Sid ? Warrick FitzGerald (Feb 09)
    - Re: Sid ? Warrick FitzGerald (Feb 09)
    - Re: Sid ? Tony Scalzitti (Feb 09)
- Re: Eliminating rulesets Phil Wood (Feb 09)
  - Re: Eliminating rulesets Jeff Elkins (Feb 09)
    - Re: Eliminating rulesets Phil Wood (Feb 09)
    - Re: Eliminating rulesets Jeff Elkins (Feb 09)