Snort mailing list archives
RE: Thoughts on internal vs. external IDS rulesets
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Thu, 11 Apr 2002 12:16:16 -0400
Here's an example: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outgoing contains winnt\system32"; content: "winnt\system32"; nocase;) Something like this might give you an indication if someone successfully changed to, or listed a system directory on an NT box. This may not be the best example but you should get the idea on what variations you can try...... Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com -----Original Message----- From: Alwin Raymundo [mailto:alrayworld () yahoo com] Sent: Thursday, April 11, 2002 8:16 AM To: Sheahan, Paul (PCLN-NW); 'Chris Eidem'; Snort Users Listserv (E-mail) Subject: RE: [Snort-users] Thoughts on internal vs. external IDS rulesets Hi Paul, I'm interested to what you have said in your email. can you give me some sample of rules that directory showing up to the world. Thanks Paul --- "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> wrote:
Some examples: If your network normally has a certain type of traffic (i.e. mail, web etc), then set Snort to look for traffic OTHER than this. This will give you an indication of someone messing around. Create some rules to check for odd types of traffic such as UDP traffic, fragmented traffic, ICMP traffic etc. This can help flag down problems on the network, someone snooping around, trojans etc. Also, set your Snort sensor to alert you whenever internal server names, IP addresses, database names, application names, and names of private directories etc appear in OUTGOING packets. Normally you don't want internal data like this going out for the whole world to see. Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com -----Original Message----- From: Chris Eidem [mailto:ceidem () Dexma com] Sent: Wednesday, April 10, 2002 11:44 AM To: Snort Users Listserv (E-mail) Subject: [Snort-users] Thoughts on internal vs. external IDS rulesets Hey y'all, I'm in the process of reworking my rulesets for the sensors that I have on my network. What I would like to know from anyone who cares to answer is, "what is the difference between your internal and external sensors?" Basically, I'm running (pretty much, anyway) the standard rulesets that come with snort on the external sensor and a modified local.rules that takes out a lot of the false positives for any internal activity on my internal sensors. I'm not really running that many special rules and I have a feeling that perhaps I need to. By way of an example, I have a couple of rules looking for outbound tftp (CR and Nimda) and a couple of others for keeping track of users so that they don't run programs that cause problems for me (i.e. make my pager go off at 0300 because someone decided to run a PtP sharing proggie. They're walking funny now, thanks for asking...). What do y'all look for running around in your network? Virii? PtP programs? Outbound unauthorized connections? Anything I haven't mentioned? TIA, - chris Chris Eidem Dexma, Inc. Network Administrator 7701 York Av. S. Phone: 952.229.1311 Edina, MN 55435 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== Alwin Raymundo __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Thoughts on internal vs. external IDS rulesets Chris Eidem (Apr 10)
- Re: Thoughts on internal vs. external IDS rulesets Steve Ochani (Apr 10)
- <Possible follow-ups>
- RE: Thoughts on internal vs. external IDS rulesets Chris Eidem (Apr 10)
- RE: Thoughts on internal vs. external IDS rulesets Sheahan, Paul (PCLN-NW) (Apr 10)
- RE: Thoughts on internal vs. external IDS rulesets Alwin Raymundo (Apr 11)
- RE: Thoughts on internal vs. external IDS rulesets Sheahan, Paul (PCLN-NW) (Apr 11)