Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: GenII Honeynet practical use of Snort/Snort_Inline/Swatch

From: Lance Spitzner <lance () honeynet org>
Date: Fri, 27 Jun 2003 22:28:43 -0500 (CDT)
On Fri, 27 Jun 2003, Brent J. Nordquist wrote:


    - The GenII paper says "If you are running drop-rules.tgz
    ruleset, you test by simply by first enabling the default test
    rule," -- I am using the distributed drop-rules,tgz, but I
    couldn't find that ruleset.  Can someone point me to it?  (I
    added my own that was basically a wildcard, and confirmed that
    it triggered Snort_Inline.)


I did a bad job of placing the test rules set (it was part of the
README in the drop.rules directory).  To make it much easier to
find, the toolkit now has a test.rules ruleset included with the
Toolkit.  Should be very easy to find.  I also REMOVED the pre-converted
rules within the Toolkit as they were out of date.  This forces you
to download the latest from the Snort website and convert them to 
drop using the convert.sh script.  Its too tempting for people to
use the included, but severly outdated, drop rule set thats included
with the Toolkit.  Temptation now removed :)


    - The paper doesn't appear to say anything about how to set up
    rules that achieve this.  I did a telnet in both directions,
    but neither one was logged.  Again, I added a simple "wildcard"
    rule and was able to get Snort to trigger and log the session.
    So it looks like the standard Snort rules (which appear to be
    set up to catch "bad" activity) aren't what you want for
    capturing *all* activity.  What Snort rules do people use?


Use the Project's standard snort.conf file for data capture, you can
find it online at

   http://www.honeynet.org/papers/honeynet/tools/snort.conf

I did a poor job of pointing that out in the GenII paper, now
fixed :)


    - Is this what people use in practice, or do you only alert on
    TCP or UDP (ignoring ICMP), or do you have other custom Swatch
    patterns to ignore false positives (IDENT, NTP, etc.)?


If its going outbound, ALERT!  Don't focus on the protocol, but the
direction that is initiated.  The Honeynet Project is developing
GUI interfaces to monitor, alert, and analyze activity in real time.

Thanks!

lance
Previous By Date Next
Previous By Thread Next

Current thread: