IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort as IDS

From: "Sanjay R" <2sanjayr () gmail com>
Date: Mon, 14 Jan 2008 08:40:18 +0530
Hi Jon:
The first thing that i observed about Snort is - The administrator
should be very good at tuning it according to h(is|er) understanding
of network. The snort rules are prone to false alarms. So you have to
bang your head ;)
other comments are..
On Jan 11, 2008 4:03 PM, Jon Uriona <jurionamendi () yahoo es> wrote:

Hi all,

I need to know if I need to apply web detection rules
(attacks, cgi, client, misc, php...) and preprocesor (http_inspect) to
devices acting as web proxies. I am getting thousand of alerts due to
those rules from my proxy clients and their external requests which I
believe all of them are false. Am I right?

I am bit confused as Snort is network level IDS and therefore, why do
you need to configure it specific to each client? Also, any proxy
embeds HTTP request/response in another http packets and forward it to
the client/server. So, if the attack is against a client, proxy server
is safe as it may not be processing the packet (of course, if
additional checks are not configured in it).


And for web servers different than apache and IIS, do I have to apply
http_inspect with any profile?

Yes, if you are monitoring your web server, you should apply those rules.


I am trying to set up my http_inspect preprocessor.
If I have a Squid proxy listening on ports 80 and 8080, do I need to
configure a preprocessor http_inspect_server for it? And should I use
apache profile?

If I am using any other web server (neither IIS nor Apache), do I need
to configure a preprocessor http_inspect_server for it? If so, which
profile?

And same question about application servers, like AOL for example. Do I
need to configure http_inspect_server for it? Which profile?


answer to all last few queries is : if the traffic involves HTTP,
enable a generic profile. Do some monitoring for sometime and
accordingly tune your rules.


Thanx in advance,

Jon





Sanjay
-- 
Computer Security Learner

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: