Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: Rules optimization

From: "Sean Wheeler" <s.wheeler () netprotect ch>
Date: Thu, 19 Jun 2003 10:30:13 +0200
Using
        var HOME_NET 10.10.10.0/24
        var EXTERNAL_NET !$HOME_NET

as indicated, would not monitor attacks conducted from one HOME_NET machine
to another HOME_NET machine given the general EXTERNAL_NET -> HOME_NET
rules.
So if a box in the HOME_NET range was compromised the attacker would
generally be free to scan the HOME_NET going undetected.


Using
        var HOME_NET 10.10.10.0/24
        var EXTERNAL_NET any

as indicated would solve the issue, if the above scenario is applicable to
what you want your IDS to do.
(no doubt false positives may creep in....arg !! compromise compromise)


Then again having a deployment watching
        var HOME_NET 10.10.10.0/24
        var EXTERNAL_NET !$HOME_NET

and another watching

        var HOME_NET 10.10.10.0/24
        var EXTERNAL_NET $HOME_NET

would be just peachy ;)

regards
Sean



-----Ursprungliche Nachricht-----
Von: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]Im Auftrag von Erek
Adams
Gesendet: Mittwoch, 18. Juni 2003 19:20
An: Vuppala, Vijaybhasker (EM, GECIS)
Cc: snort-users () lists sourceforge net
Betreff: Re: [Snort-users] Rules optimization


On Wed, 18 Jun 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:


I have used Snort ver 1.8.7 on Redhat Linux 7.3 with Default Rules

provided

[...snip...]

You need to upgrade.  Versions <=1.9.1 have a nasty remotely exploitable
hole in them.

As for rule tuning, it sounds like you don't have the HOME_NET and
EXTERNAL_NET variables set correctly.  HOME_NET should be set to the
network you want to "watch", and EXTERNAL_NET should be everything else.
So if your network was 10.10.10.0/24:

        var HOME_NET 10.10.10.0/24
        var EXTERNAL_NET !$HOME_NET

With those settings it should reduce the number of false postives you get.

As for tuning, you simply have to get Snort setup and working, and then
examine each and every alert.  You have then decide if the packets are
'normal' or not.  You'll discover things that you need to setup pass rules
for, add BPF filters or add a rule for.  Something like Ntop [0] is very
helpful in this respect to get a nice 'overview' of your networks traffic.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.ntop.org/


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: