Snort mailing list archives
Re: Default Rules
From: Clue Store <cluestore () gmail com>
Date: Mon, 21 Jun 2010 08:57:46 -0500
Hi Joe, I do understand that I should disable all rules that I know I wont have any services for. The policy manager looks very cool and I will check it out as this will probably help me with managing rules. I have a rather small environment (~30 servers), so with the policy manager, I should be able to turn on most rules and turn them off as I need to. Thanks for the info, Max On Mon, Jun 21, 2010 at 8:45 AM, Joe Pampel <jpampel () paladyne com> wrote:
Jm2c: 1. Ideally you should adjust the rulebase to reflect your network. If you are not running Oracle, disable Oracle rules as an example. Someone could throw Oracle attacks at you all day and you really don’t care. ;) You want to limit the number of hits you get to be things you need to care about. There are so many random SSH, ICMP, etc scans that no one could ever follow up on them all. I use IDS Policy Manager ( http://www.activeworx.org/Default.aspx?tabid=55) to track my rules which makes it a lot easier to see what they all are, turn them one and off, etc. 2. Good way to “test” it out is to tap traffic outside your internet facing router and see all the bad stuff in the wild. Your sensor will get a workout. ;) Not realistic, but you will see rules fire. 3. My advice is to download Splunk and have it collect your snort logs (or have snort syslog to splunk). The free version is very cost effective ;) and does not choke on large numbers of entries. It’s also helpful to ID patterns in your alert traffic. For example, I have a person in Poland who SNMP scans me 1 host at a time, 2 packets a day. For the past month. J I doubt I would have noticed that otherwise with all the other daily excitement. 4. I would not deploy anything deliberately vulnerable other than a purpose built honeypot. *From:* Clue Store [mailto:cluestore () gmail com] *Sent:* Monday, June 21, 2010 9:00 AM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] Default Rules Hi All, I’m new to Snort, so take it easy :) I have enabled the portscan preprocessor and am detecting port scans from Nessus and Nmap, but if I disable that preprocessor, i’m not getting much else in the way of intrusions (this could be due to the fact that im only sniffing a small amount of traffic for a few hosts). I also see that alot of the rules are #‘d out, so they aren’t being used. 1. Should I uncomment out some of these some or all of the rules (for example, I have alot of different SQL servers on my network I want to protect). What about the bad-traffic.rules, etc??? Are these commented out due to too many false positives and noise??? 2. What is a good way of testing some of the rules out?? Do I deploy an un-patched server with IIS and SQL for example that have known vulnerabilities?? Honeypots?? Thanks, Max ------------------------------ The information contained in this correspondence is intended solely for the person or entity entitled to receive the confidential and/or privileged material that it may contain. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, the information in this correspondence (including any attachments) by anyone other than the intended recipient is strictly prohibited. If you believe that you may not be the intended recipient, please destroy and/or delete this correspondence and the attachment(s).
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Default Rules Clue Store (Jun 21)
- Re: Default Rules Alex Kirk (Jun 21)
- Re: Default Rules Clue Store (Jun 21)
- Re: Default Rules Joe Pampel (Jun 21)
- Re: Default Rules Clue Store (Jun 21)
- Re: Default Rules Alex Kirk (Jun 21)