Snort mailing list archives
Re: Snort as an anomalous behavior IDS
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Sat, 03 Apr 2010 00:09:47 +1300
On 04/01/2010 11:32 AM, Willst Mail wrote:
Is it as simple having a ruleset with the good rules, and a final rule that matches (any any -> any any)?
We use snort to monitor DMZes that way. Unlike real networks, DMZes are meant to contain hosts that have specific roles, and don't have users logged in running Skype/etc. i.e their traffic flows are predictable. In particular, they shouldn't initiate outbound connections beyond the expected AV updates, Windows/YUM updates/etc. Then we created pass rules that allow such things, and trigger alerts on the rest. On our network, DMZ alerts are really quiet for ages - and then some SysAdmin will forget where they are and go and read their Gmail or something - and we get an alert - soon followed by a "sorry! it's me!" - that proves it's working :-) However, FTP is your enemy - no easy way to write "pass" rules for FTP. I've got HTTP "pass" rules to allow connections to hosts containing "uricontent:/repos/", or whitelist particular User-Agents - but you can't say "allow curl to ftp files" -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort as an anomalous behavior IDS Jason Haar (Apr 02)
- <Possible follow-ups>
- Re: Snort as an anomalous behavior IDS Willst Mail (Apr 02)
- Re: Snort as an anomalous behavior IDS Joel Esler (Apr 02)
- Re: Snort as an anomalous behavior IDS Paul Schmehl (Apr 02)
- Re: Snort as an anomalous behavior IDS Jason Haar (Apr 02)
- Re: Snort as an anomalous behavior IDS Joel Esler (Apr 02)