Snort mailing list archives
Re: Step #1 Set the Network Variables
From: Marcin Dulak via Snort-users <snort-users () lists snort org>
Date: Wed, 4 Oct 2017 13:18:36 +0200
On Wed, Oct 4, 2017 at 12:29 PM, Dan O'Brien via Snort-users < snort-users () lists snort org> wrote:
Good morning Snort Users, In my quest to have a configured NIDS, I realized I may have put the cart before the horse during setup. I used a guide to setup my system and I am trying to learn as I go. Yesterday, in researching the http_inspect preprocessor, I happened to open the snort.conf and realized I may have suppressed some rules instead of setting up some of the primary settings. Instead of just suppressing rule 120/3, I would like to try to properly setup snort. For example, I run Pi-hole on my network. Pi-hole is a DNS cache/forwarder. Would it help with some of the false positives I am getting if I defined my DNS servers under ipvar DNS_SERVERS? I currently have “ipvar DNS_SERVERS $HOME_NET”
snort rules are not consistent in the usage of the variables. Go over all your active rules and verify they contain any variables relevant for your case. Best regards, Marcin
Same with the “ipvar HTTP_SERVERS $HOME_NET”. I have a Nagios/nconf health monitoring server on my network. Should the ipvar HTTP_SERVERS include that ip instead of the entire network? Multiple examples of this: 1. I have a SMTP Transfer program for sending emails 2. Multiple Linux boxes/routers with ssh Same thing with portvar. Should I limit HTTP_PORTS to only those in use by my webservers? I am afraid of limiting snort too much and making it ineffective. Thanks in advance. Thanks, Dan "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6 _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Step #1 Set the Network Variables Dan O'Brien via Snort-users (Oct 04)
- Re: Step #1 Set the Network Variables Marcin Dulak via Snort-users (Oct 04)
- Re: Step #1 Set the Network Variables Paul O'Brien via Snort-users (Oct 04)
- Re: Step #1 Set the Network Variables Marcin Dulak via Snort-users (Oct 04)