Snort mailing list archives
Re: frag3_engine policy in heterogeneous env.
From: "Bachelor, Stephen A CTR USSOCOM HQ" <Stephen.Bachelor.ctr () socom mil>
Date: Wed, 25 Jun 2008 08:52:33 -0400
Chris, I don't know snort well enough to say which gets you the fewest false positives or false negatives for evasion with an even blend of operating systems. But what I did, when faced with a similar situation, was to run p0f on the port that snort would run on, then perl-ify the logfile into a big list mapping internal IPs to operating systems, and referenced that file from my snort.conf. The script I used was pretty ugly, but I could probably dig it up if it'd help. -Steve -----Original Message----- From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of chris ryan Sent: Wednesday, June 25, 2008 8:33 AM To: snort-users () lists sourceforge net Subject: [Snort-users] frag3_engine policy in heterogeneous env. Hi, as far as i understand, the policies "emulate" the target host OS defragmentation to avoid an evasion of the ids. For now, we have a very heterogeneous environment and cannot map the subnets to specific operating systems. In effect, the "bind-to" combined with "policy xyz" is not applicable. So, my guess is, i've to use one frag3_engine policy for all the traffic (with possible evasion side effect to ids). The default engine is "BSD". Is "BSD" a good choice for such a heterogeneous environment? Thanks in advance, Chris. ------------------------------------------------------------------------ - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- frag3_engine policy in heterogeneous env. chris ryan (Jun 25)
- Re: frag3_engine policy in heterogeneous env. Bachelor, Stephen A CTR USSOCOM HQ (Jun 25)