Snort mailing list archives
Re: switch port settings?
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 01 Oct 2002 13:53:07 -0400
Sure, this is a very good idea, many snort setups do this. Ultimately you'll have to weigh if you're interested in attacks within your lan, but in many cases it makes sense to not trust your users. As far as the high alert level it looks like you just need to change some of your settings.
In particular you might want to consider: 1) change EXTERNAL_NET to be !$HOME_NET or at least !$SERVERS instead of any.2) carefully pick which IPs and what thresholds to use for portscan. In general I try not to watch internal lan servers with this and I tend to increase the thresholds for snort boxes monitoring inside a lan (as opposed to those monitoring just the connection from a lan to the internet.
At 11:53 AM 10/1/2002 -0400, Matthew Harrell wrote:
I recently changed the switch port that my Snort box is on so that it hears the traffic that hits all the ports on the switch. This seems like it is a good idea in order to have a true NIDS; however, since doing so, I'm FLOODED with tons of alert and portscan log entries. I'm in the process of playing with ACID to improve the usage of these logs, but is it a good idea to leave the switch port set this way?
------------------------------------------------------- This sf.net email is sponsored by: DEDICATED SERVERS only $89!Linux or FreeBSD, FREE setup, FAST network. Get your own server today at http://www.ServePath.com/indexfm.htm
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- switch port settings? Matthew Harrell (Oct 01)
- Re: switch port settings? Matt Kettler (Oct 01)
- <Possible follow-ups>
- RE: switch port settings? McCammon, Keith (Oct 01)