Snort mailing list archives

Re: What makes a complete IDS package?

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 21 Mar 2011 13:00:37 -0400

I've done both.  Every customer is different.

On Mon, Mar 21, 2011 at 12:49 PM, Jefferson, Shawn <
Shawn.Jefferson () bcferries com> wrote:

 Is this in a business or just personal?  There's no way I could do that
in my environment... too many legitimate things would get blocked.

 ------------------------------
*From:* Joel Esler [mailto:jesler () sourcefire com]
*Sent:* Monday, March 21, 2011 9:34 AM
*To:* James Lay
*Cc:* Snort
*Subject:* Re: [Snort-users] What makes a complete IDS package?

Clarify --

I have those rules set to drop, and the alert suppressed (still recorded in
tcpdump logs).  If a website is hiding the information as such with
Javascript or whatever, I don't need to go to that website.

J

On Sat, Mar 19, 2011 at 10:09 AM, Joel Esler <jesler () sourcefire com>wrote:

I don't.  No.  I have those set to block in the IPS.


  On Mar 19, 2011, at 9:58 AM, James Lay wrote:


 I review my events on the command line.  I don't use a DB or whatever.
 I've tuned the hell out of my Snort installation, so that when it alerts, I
need to deal with something.

Joel


Joel,

So….do you nuke out the "possible" rules?  Or the "likely hostile" rules?
 I spend a fair amount of time tracking down obfuscated javascript and
javascript in pdf type alerts…most are non-malicious, but some turn out to
be bad…curious on just how much you've tuned my friend ;)

James


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.

http://p.sf.net/sfu/internap-sfd2d_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


 --

Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net
Twitter: @snort



--
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

What makes a complete IDS package? James Lay (Mar 18)
- Re: What makes a complete IDS package? Jefferson, Shawn (Mar 18)
- Re: What makes a complete IDS package? Joel Esler (Mar 18)
  - Re: What makes a complete IDS package? James Lay (Mar 19)
    - Re: What makes a complete IDS package? Joel Esler (Mar 19)
    - Re: What makes a complete IDS package? Martin Holste (Mar 21)
    - Re: What makes a complete IDS package? Joel Esler (Mar 21)
    - Re: What makes a complete IDS package? Jefferson, Shawn (Mar 21)
    - Re: What makes a complete IDS package? Joel Esler (Mar 21)
- Re: What makes a complete IDS package? Edward Fjellskål (Mar 18)