Snort mailing list archives
Re snort plus Ossetia
From: "Don M." <djmurd () cox net>
Date: Wed, 17 Feb 2016 07:38:24 -0500
On the question of top snort itd's... General decision making is a thought process tuned to your org. For me, personally, I'd do something like this: First, make decisions and enable rules that represent your environment. Second, look for any rules that relate to outbound command and control. Third, there are rules that detect remote code execution payloads. Fourth, there are a few uDP based single packet kills. Fifth, I block ICMP at the border, so those rules inbound would never trigger (I hope....). Sixth,I would want syn + ack packets for 3389, 22, 23, exiting my server network because that indicates the start of a system responding to remote access (fin+ ask would be the natural end, normally)..rule is directional. Hopefully you get the idea here. I am sure that some would change the order, or emphasize one topic for another, ...but the point is that intrusion detection works better when you establish priorities and know your environment. ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re snort plus Ossetia Don M. (Feb 17)