Snort mailing list archives
Re: Newbie - Rules updates, multiple interfaces, etc.
From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Mon, 10 May 2004 07:56:56 -0700 (PDT)
Mark G. Spencer wrote: I'm running Snort on two machines, one Win98 and another WinXP Professional. how can I enable *all* Snort rules? I got an answer (or answers) back that you wouldn't want to do this, you should tune your rules for the platforms Snort is running in front of. This doesn't make sense to me from a security perspective - who's to say through an intrusion, other IT guys, or the curious guy in engineering that new services will appear on your network you hadn't planned on? If you have the processing power, wouldn't you want Snort utilizing the full ruleset? -- Mark, The short answer is to look in your snort.conf and uncomment the rule include statements near the end of the file, e.g.: # include $RULE_PATH/web-attacks.rules The long answer is to consider what you hope to learn with Snort. Every Snort alert is an indicator that must be analyzed, validated, and potentially escalated to a decision maker. If you're not collecting the session and full content data needed to properly analyze an event, you're more likely to generate alerts which you must ignore for lack of supporting data. There is some value in enabling rules for services which are not presumed to exist. For example, a shop running only Apache might leave IIS rules enabled to catch rogue IIS servers. Shops with more robust change management and configuration control disable rules for services they know don't apply to their environment. Snort is powerful because users can customize it. I recommend trying a variety of rule combinations and seeing what works for you. I also recommend replacing your Windows 98 system with an OS in the NT family, if you must run Snort on Windows at all. A security application like Snort does not belong on a consumer-minded desktop OS. Sincerely, Richard http://www.taosecurity.com __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie - Rules updates, multiple interfaces, etc. Mark G. Spencer (May 09)
- <Possible follow-ups>
- Re: Newbie - Rules updates, multiple interfaces, etc. Richard Bejtlich (May 10)