Snort mailing list archives
Re: Default Rules
From: Clue Store <cluestore () gmail com>
Date: Mon, 21 Jun 2010 08:43:07 -0500
Hi Alex, Thanks for the quick reply. And yes, I am in the market to buy some Snort clue today :) The link you sent for the rule tuning is exactly what I was looking for. I'll also check out Metasploit which looks like a great way to test. And no, we had no plans to deploy those boxes on our production network. We have a spare cable modem connection that we would put this on, so it will be completely isolated from our production boxen. Thanks again for the reply. Time to do some reading and get my learn on :) On Mon, Jun 21, 2010 at 8:16 AM, Alex Kirk <akirk () sourcefire com> wrote:
First off, nice email address. :-) Now, to the meat of your questions here. The fact that you're on a small network with just a few hosts is likely relevant to the number of alerts you're seeing; the larger the network, generally the more events you get. Since the goal of any IDS administrator is to tune their system to the point that they get the minimum number of alerts - i.e. only those that are truly relevant and actionable - you're actually probably starting from a good position here. Rules are commented out for a number of reasons. At the risk of tooting my own horn here, you might want to read the blog post I put together back in January that discusses this very issue: http://vrt-sourcefire.blogspot.com/2010/01/vrt-guide-to-ids-ruleset-tuning.html If there are rules that you think you might want to run that are commented out now, feel free to turn them on - especially if they're protecting against vulnerabilities that are likely present on your network, based on the software you're running (i.e. the SQL servers you've mentioned). Since you're on a small network, you can probably turn a large number of rules on at once and still perform fairly well - you may just get buried in a pile of irrelevant alerts if you're turning on things without thinking about them. You may also wish to disable certain rules, based upon what you've got running there. We try to design our defaults around "generic" networks, and since every network is individual, we may have enabled things you don't need. Finally, as for testing rules - I sure wouldn't put an intentionally unpatched box onto a production network, that's just asking for trouble. If you want to go that route - which is quite legitimate if you're testing things out - do it in an isolated environment, so you don't accidentally get something nasty on your production boxes. Tools like Metasploit are probably going to be your friend here, since they let you launch a number of attacks easily. On Mon, Jun 21, 2010 at 8:59 AM, Clue Store <cluestore () gmail com> wrote:Hi All, I’m new to Snort, so take it easy :) I have enabled the portscan preprocessor and am detecting port scans from Nessus and Nmap, but if I disable that preprocessor, i’m not getting much else in the way of intrusions (this could be due to the fact that im only sniffing a small amount of traffic for a few hosts). I also see that alot of the rules are #‘d out, so they aren’t being used. 1. Should I uncomment out some of these some or all of the rules (for example, I have alot of different SQL servers on my network I want to protect). What about the bad-traffic.rules, etc??? Are these commented out due to too many false positives and noise??? 2. What is a good way of testing some of the rules out?? Do I deploy an un-patched server with IIS and SQL for example that have known vulnerabilities?? Honeypots?? Thanks, Max ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Default Rules Clue Store (Jun 21)
- Re: Default Rules Alex Kirk (Jun 21)
- Re: Default Rules Clue Store (Jun 21)
- Re: Default Rules Joe Pampel (Jun 21)
- Re: Default Rules Clue Store (Jun 21)
- Re: Default Rules Alex Kirk (Jun 21)