IDS mailing list archives
Re: snort-inline inbound ruleset?
From: Lance Spitzner <lance () honeynet org>
Date: Mon, 3 Feb 2003 11:41:37 -0600 (CST)
On Sun, 2 Feb 2003, John Flynn wrote:
I'm fairly new to the IDS scene. I want to deploy some sort of open source IPS. I've read most of the stuff from the honeynet project and those guys are doing a great job with snort-inline. They have a great default ruleset to filter outgoing traffic. I was wondering if snort-inline is a recommended approach for an IPS at this point and if so, does someone have a good default blocking ruleset for incoming untrusted traffic they could point me to? I have been having a huge problem with false positive rates with snort on my network and i'm struggling to come up with an IPS solution that won't block legitimate traffic. Would people recommend I use hogwash or something else instead of snort-inline?
The ruleset used by the Honeynet Project can easily be used for inbound traffic. Just swap the variables HONEYNET and EXTERNAL_NET, so the directions of insepction are reversed. The current Honeynet drop ruleset is a minimized rulest designed only to stop known attacks and exploits. Of almost 2,000 possible Snort rules, the Honeynet drop.rules ruleset has only about 250 rules. However, this ruleset is experimental, I'm sure its missing some attacks (if you identify any that should be added, please let the Project know). http://www.honeynet.org/papers/honeynet/tools/drop.rules lance
Current thread:
- RE: snort-inline inbound ruleset? Gonzalez, Albert (Feb 05)
- <Possible follow-ups>
- snort-inline inbound ruleset? John Flynn (Feb 05)
- Re: snort-inline inbound ruleset? Lance Spitzner (Feb 05)