Snort mailing list archives
Re: Configuration questions-snort multiple instances
From: Stanford Prescott <stan.prescott () gmail com>
Date: Tue, 2 May 2017 12:07:41 -0500
That all makes sense. Thanks! On Tue, May 2, 2017 at 11:11 AM, <wkitty42 () windstream net> wrote:
On 05/02/2017 10:27 AM, Stanford Prescott wrote:Is it necessary to define the DNS_SERVERS for the LAN interfaces?yes if any rules are used that need the DNS_SERVERS variable defined... a quick grep -E -e "DNS_SERVERS" /var/smoothwall/snort/*rules*/*.rules | wc -l of my sensor's installation shows 29 rules using that variable... of those, 21 are disabled... FWIW: i would keep the DNS_SERVERS defined to the internal LAN IP for that interface specifically to be able to catch internal machines attempting these lookups that are indicators of malfeasance... this grep will show you the enabled rules that have DNS_SERVERS defined in them... some are research scanners (in my local.rules), some are conficker detections, some are DoS packet related, some are looking for DNS cache poisoning... grep -E -e "^[^#].*DNS_SERVERS" /var/smoothwall/snort/*rules*/*.rules2. Each snort instance has its own rule sets. One of these is the Talos reputation IP blacklists. Should the internal LAN instances of snort also have access to the public IP addresses provided by the Talos IPblacklistssince the internal LANs really only use private IP addresses?the internals LANs may use only RFC1918 address but they make requests to WAN IPs as well... yes, blacklists and whitelists are a GoodThing<tm> to consider on the LAN interfaces... especially to prevent from and determine which internal systems are attempting to contact those blacklisted IPs... especially if those internal systems are trying to exfiltrate personal or corporate information... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Configuration questions-snort multiple instances Stanford Prescott (May 02)
- Re: Configuration questions-snort multiple instances wkitty42 (May 02)
- Re: Configuration questions-snort multiple instances Stanford Prescott (May 02)
- Re: Configuration questions-snort multiple instances wkitty42 (May 02)