Snort mailing list archives
Re: What makes a complete IDS package?
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 21 Mar 2011 13:00:37 -0400
I've done both. Every customer is different. On Mon, Mar 21, 2011 at 12:49 PM, Jefferson, Shawn < Shawn.Jefferson () bcferries com> wrote:
Is this in a business or just personal? There's no way I could do that in my environment... too many legitimate things would get blocked. ------------------------------ *From:* Joel Esler [mailto:jesler () sourcefire com] *Sent:* Monday, March 21, 2011 9:34 AM *To:* James Lay *Cc:* Snort *Subject:* Re: [Snort-users] What makes a complete IDS package? Clarify -- I have those rules set to drop, and the alert suppressed (still recorded in tcpdump logs). If a website is hiding the information as such with Javascript or whatever, I don't need to go to that website. J On Sat, Mar 19, 2011 at 10:09 AM, Joel Esler <jesler () sourcefire com>wrote:I don't. No. I have those set to block in the IPS. On Mar 19, 2011, at 9:58 AM, James Lay wrote: I review my events on the command line. I don't use a DB or whatever. I've tuned the hell out of my Snort installation, so that when it alerts, I need to deal with something. Joel Joel, So….do you nuke out the "possible" rules? Or the "likely hostile" rules? I spend a fair amount of time tracking down obfuscated javascript and javascript in pdf type alerts…most are non-malicious, but some turn out to be bad…curious on just how much you've tuned my friend ;) James ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net Twitter: @snort-- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net
-- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What makes a complete IDS package? James Lay (Mar 18)
- Re: What makes a complete IDS package? Jefferson, Shawn (Mar 18)
- Re: What makes a complete IDS package? Joel Esler (Mar 18)
- Re: What makes a complete IDS package? James Lay (Mar 19)
- Re: What makes a complete IDS package? Joel Esler (Mar 19)
- Re: What makes a complete IDS package? Martin Holste (Mar 21)
- Re: What makes a complete IDS package? Joel Esler (Mar 21)
- Re: What makes a complete IDS package? Jefferson, Shawn (Mar 21)
- Re: What makes a complete IDS package? Joel Esler (Mar 21)
- Re: What makes a complete IDS package? James Lay (Mar 19)