Snort mailing list archives
Re: IDS
From: Jason Hellenthal <jhellenthal () dataix net>
Date: Mon, 10 Jul 2017 11:12:43 -0500
That warning may just be because no pre-processors are configure within the snort.conf perfectly safe to ignore. False positives in themselves are quite the annoying. Positioning of the sensor in IDS mode may have a lot to with that outcome. Since networks very greatly, if this is on your edge interface(s) you might find quite a bit of traffic that is positive but in general I’ve only come across few false positives on multiple edge interfaces that were only caused by internal users. Amount of users will have a great effect on that. I have ~ 600-700 users and have found only very minimal rules I either disabled or suppressed because they were not valid from external networks anyway. Most of the false positives I’ve seen are the builtin snort rules like ICMP, retransmissions, and likewise. The more refined rules like VRT(Talos), EmergingThreats have been pretty accurate for me. Personally I like the use of Graylog (https://www.graylog.org/) for inspecting traffic from snort/suricata but that is just me. Setting filters in anything related is just as much of a feat as making sure all your sensors are working as intended.
On Jul 10, 2017, at 10:58, Justin Pederson <jpedersm () gmail com> wrote: Thank you Jason, I am running this on the internal network so just using it as an IDS for now. I set some rules up which fired fine, but nothing else. I thought after setting this up I would be loaded with False Positives the first couple of days rather then hardly any alerts. I grabbed 2 pcaps from packet total and ran them under the snort -r .pcap switch. I got allot of Warning: No preprocessors configured for policy 0. I have not looked into that error yet or not, but I am not sure if everything is configured right yet. On Mon, Jul 10, 2017 at 10:52 AM, Jason Hellenthal <jhellenthal () dataix net> wrote: Normally thats just to set it up and maintain the software and rules to go along with it to start. IDS in self to snort(1) uses libpcap to build its interrogation techniques while still sending the traffic to its destination which seems to be quite confusing to some folks after they find the traffic still arriving at the dst host. IPS mode… inline mode inspects the traffic live and drops or passes them on you’re determination of rules that should drop or alert. By default you get a lot of ALERT only rules and not sure why they are not dropping… because you have not set them to drop. SID mgmt becomes a big part of this operation. So hopefully as you can see each side has a drawback of the way you manage the entire structure that you built but when done with all that in mind along with the reporting infrastructure you get a highly tuned IDS/IPS solution that fits almost any size network. If you have not dealt with snort before in both of the above mentioned roles then you might want to lean on using the legacy mode that users libpcap depending on the projects requirements. Most often IDS legacy mode with blocking enabled is adequate enough for most small to 2/3 size medium businesses and will result in less time of maintainer-ship. Tho that is just my opinion and only a portion of what can actually be done with snort and other related IDS/IPS solutions. Maybe a more well rounded question of “this is what I am trying to achieve vs. this is what I don’t like right now with what I have; may be more helpful to answer." Hope some of this helps.On Jul 10, 2017, at 10:15, Justin Pederson via Snort-users <snort-users () lists snort org> wrote: What is the best way to set snort up? Either have it just look at the live packets as they come in or to form a pcap then to look into the pcap? _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!