Thoughts on internal vs. external IDS rulesets

["Chris Eidem" <ceidem () Dexma com>]

Hey y'all,

I'm in the process of reworking my rulesets for the sensors that I have
on my network.  What I would like to know from anyone who cares to
answer is, "what is the difference between your internal and external
sensors?"

Basically, I'm running (pretty much, anyway) the standard rulesets that
come with snort on the external sensor and a modified local.rules that
takes out a lot of the false positives for any internal activity on my
internal sensors.  I'm not really running that many special rules and I
have a feeling that perhaps I need to.  

By way of an example, I have a couple of rules looking for outbound tftp
(CR and Nimda) and a couple of others for keeping track of users so that
they don't run programs that cause problems for me (i.e. make my pager
go off at 0300 because someone decided to run a PtP sharing proggie.
They're walking funny now, thanks for asking...).

What do y'all look for running around in your network?  Virii?  PtP
programs?  Outbound unauthorized connections?  Anything I haven't
mentioned?

TIA,
 - chris

Chris Eidem                        Dexma, Inc.
Network Administrator              7701 York Av. S.
Phone: 952.229.1311                Edina, MN 55435

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users