Make snort bite back - prevention issues

[wishinet at googlemail.com (wishi)]

Hi!

I'm currently setting up a secure Linux (Debian) based server, and I
want to apply some prevention in case of intrusion detection; and
effective logging (not a mass of data).

There's a great small list at Emerging Threat's docu site about snort-sam:
http://doc.emergingthreats.net/bin/view/Main/SnortSam

* I already applied some of the ready rule sets from there. They seem
quite good.

* One issue related to snort-sam is: In the documentation I found
several parts, like White-list support of IP addresses that will never
be blocked. Anyhow: I'm having a dynamic IP address, therefore I can't
white-list it, because it is not static. This can cause problems I
think. If somebody spoofs IPs, I can't be sure to be able to access the
server any more (without KVM-IP...).

* Furthermore only outgoing traffic matters. I don't really care for
ssh-brute force attacks because it's highly unlikely to be successful.


I just wonder what's a real best-practice IDS config; where to create
logs, and how to organize them ;). In the end I want a pcap for an
attack that took place, and a small logfile. That's all. But it seems I
get a huge mass of logs I don't even need.


wishi