Re: Snort against DARPA Dataset

[waldo kitty <wkitty42 () windstream net>]

On 7/14/2012 01:49, Sravan Bhamidipati wrote:
> I would like one more insight from the Snort experts. In my observations on
> DARPA datasets as well as some newer dataset that I could recently access, Snort
> showed very low detection rates for local to local attacks, i.e., attacks where
> both the source IP and the destionation IP belongs to HOME_NET.
>
> Is this expected? Is there something that can be done to enable Snort to detect
> local to local attacks?

yes, in many cases it is to be expected... the main thing is that you need to 
inject your monitoring into your needs with specific rules to catch that which 
you wish to monitor... many rules are written to be either inbound to catch 
traffic from outside headed inward or the are written to be outbound to catch 
traffic which may denote an infection in your network... to catch traffic that 
is internal headed to internal machines requires a bit of a change in the 
rules... this may be as easy as redefining home_net or not...

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!