Re: Everything working what next

[waldo kitty <wkitty42 () windstream net>]

On 11/28/2012 16:52, k vijay sai prashanth wrote:
> I did google it actually, Got very very vague responses. I posted here as
> everyone here uses Snort and will have clarity on their purpose of usage.

the main thing is to see the traffic on your network and that coming into and 
going out of it... for instance, if you have a local policy of no P2P apps, it 
is possible that a snort signature may alert on this type of traffic so that you 
can put a stop to it...

> Also if I may ask why do we need an IDS when there is already a firewall in
> place?

firewalls can easily be breached... for example, if you have a web server 
running inside your network that is open to the public on the WAN... with snort 
you can sniff the traffic and see if anything untoward is going on... one for 
instance would be if your web server runs a forum software package... you could 
tell if some automated critter was beating on your forum and trying to force a 
bogus spammy signup...

> All the traffic I see in my logs are all internal traffic. What kind of
> threats am I looking at from internal traffic?

internal machine can easily be infested if they visit external web sites... one 
only has to look at the iframe mess that's out there spreading blackhole and 
other kits... pdf and java also bring threats... if something gets loose inside, 
don't you want to know about it hopefully before it infests other machine on 
your network?

> Regards,
> Prashanth
>
>
> On Thu, Nov 29, 2012 at 3:14 AM, Ron Sinclair <unixfool () gmail com
> <mailto:unixfool () gmail com>> wrote:
>
>     Analyze the logged data to determine if there are any system/network
>     breaches.  Noisy signatures can be commented out or tuned/filtered.
>       Sometimes the logs can point out a misconfiguration that, while not an
>     actual breach, can assist in fixing the issue.  Also, each network is
>     different, so we won't be able to tell you what you should be seeing and
>     how/if you should disable signatures.  We might be able to assist if you've
>     a question about a particular piece of traffic, but you'll have to provide
>     the pcap.  Sometimes, just being able to compare the PCAP agains the rule
>     itself is enough to determine the nature of logged traffic.  Sometimes it
>     takes awhile to research.  It depends on what's being logged.
>
>     I'm not sure if it's outside of the scope of this group or not, but using
>     Google usually helps.
>
>
>     On Wed, Nov 28, 2012 at 4:06 PM, k vijay sai prashanth
>     <vijaysaiprashanth () gmail com <mailto:vijaysaiprashanth () gmail com>> wrote:
>
>         Hello All,
>
>         I have setup snort barnyard2 after a lot of pain. I even setup an Aanval
>         front end. I now have events being logged and stored.
>
>         I just have one question.
>
>         What do I do with all the logs and alerts?
>
>         What kind of analysis and reporting should I be doing?
>
>         I hope this part is not out of scope for this group.
>
>         Regards,
>         Prashanth



------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
VERIFY Test and improve your parallel project with help from experts 
and peers. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!