Snort mailing list archives
Re: Getting more paranoid by the minute. :-/
From: Alejandro Flores <alejandro.flores () triforsec com br>
Date: Sun, 25 Apr 2004 10:09:32 -0300
Hello,
Somewhat unrelated question: Once I set this up, how much time should I expect to have to spend on it daily? They want me to do other stuff, like install tripwire and host-based firewalls on all the servers, run nessus against everythig and deal with the results, set up a new mail server, and a myriad of other normal SysAdmin tasks. I certainly hope that Snort doesn't require a lot of care and feeding every day ... but I don't know enough yet to be able to judge that.
After install, you should properly configure snort to your network. I mean, configure the Variables correctly (HOME_NET, HTTP_SERVERS...) so you can get more accuracy from snort. As you said that they will run webapps, configure very carefully the http_inspect preprocessor. This will reduce the false positivies. Check this article on securityfocus about SQL Injection and XSS: http://www.securityfocus.com/infocus/1768 I don't like to log the alerts directly from snort to database. I prefer to log to the Unified output, and run barnyard to read this log and send the alerts to the database. This way, you can schedule a job, transfer the logs to a central, and correlate the data. After setup, the first days will be learning days. You'll discover how the internet likes your network, and things like CodeRed and MS-SQL WORM are still alive. Have fun! Alejandro Flores --TriForSec http://www.triforsec.com.br/
Current thread:
- Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Paul Schmehl (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Chris Burton (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Demetri Mouratis (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Alejandro Flores (Apr 25)
- Re: Getting more paranoid by the minute. :-/ Chris Burton (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Paul Schmehl (Apr 24)
- RE: Getting more paranoid by the minute. :-/ Jim Hendrick (Apr 25)
- Re: Getting more paranoid by the minute. :-/ AJ Butcher, Information Systems and Computing (Apr 26)
- Re: Getting more paranoid by the minute. :-/ Andreas (Apr 26)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 26)
- <Possible follow-ups>
- RE: Getting more paranoid by the minute. :-/ Romulo M. Cholewa (Apr 24)
- Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- RE: Getting more paranoid by the minute. :-/ Donofrio, Lewis (Apr 26)
- Re: Getting more paranoid by the minute. :-/ Corey Rock (Apr 29)