Snort mailing list archives
AW: Rules optimization
From: "Sean Wheeler" <s.wheeler () netprotect ch>
Date: Thu, 19 Jun 2003 10:30:13 +0200
Using var HOME_NET 10.10.10.0/24 var EXTERNAL_NET !$HOME_NET as indicated, would not monitor attacks conducted from one HOME_NET machine to another HOME_NET machine given the general EXTERNAL_NET -> HOME_NET rules. So if a box in the HOME_NET range was compromised the attacker would generally be free to scan the HOME_NET going undetected. Using var HOME_NET 10.10.10.0/24 var EXTERNAL_NET any as indicated would solve the issue, if the above scenario is applicable to what you want your IDS to do. (no doubt false positives may creep in....arg !! compromise compromise) Then again having a deployment watching var HOME_NET 10.10.10.0/24 var EXTERNAL_NET !$HOME_NET and another watching var HOME_NET 10.10.10.0/24 var EXTERNAL_NET $HOME_NET would be just peachy ;) regards Sean -----Ursprungliche Nachricht----- Von: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]Im Auftrag von Erek Adams Gesendet: Mittwoch, 18. Juni 2003 19:20 An: Vuppala, Vijaybhasker (EM, GECIS) Cc: snort-users () lists sourceforge net Betreff: Re: [Snort-users] Rules optimization On Wed, 18 Jun 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:
I have used Snort ver 1.8.7 on Redhat Linux 7.3 with Default Rules
provided [...snip...] You need to upgrade. Versions <=1.9.1 have a nasty remotely exploitable hole in them. As for rule tuning, it sounds like you don't have the HOME_NET and EXTERNAL_NET variables set correctly. HOME_NET should be set to the network you want to "watch", and EXTERNAL_NET should be everything else. So if your network was 10.10.10.0/24: var HOME_NET 10.10.10.0/24 var EXTERNAL_NET !$HOME_NET With those settings it should reduce the number of false postives you get. As for tuning, you simply have to get Snort setup and working, and then examine each and every alert. You have then decide if the packets are 'normal' or not. You'll discover things that you need to setup pass rules for, add BPF filters or add a rule for. Something like Ntop [0] is very helpful in this respect to get a nice 'overview' of your networks traffic. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.ntop.org/ ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules optimization Vuppala, Vijaybhasker (EM, GECIS) (Jun 18)
- Re: Rules optimization Erek Adams (Jun 18)
- AW: Rules optimization Sean Wheeler (Jun 19)
- <Possible follow-ups>
- Re: Rules optimization Matt Kettler (Jun 18)
- RE: Rules optimization Vuppala, Vijaybhasker (EM, GECIS) (Jun 20)
- RE: Rules optimization Erek Adams (Jun 20)
- Re: Rules optimization Erek Adams (Jun 18)