RE: Thoughts on internal vs. external IDS rulesets

[Alwin Raymundo <alrayworld () yahoo com>]

Hi Paul,

I'm interested to what you have said in your email.

can you give me some sample of rules that directory
showing up to the world.

Thanks

Paul

--- "Sheahan, Paul (PCLN-NW)"
<Paul.Sheahan () priceline com> wrote:
> Some examples:
>
> If your network normally has a certain type of
> traffic (i.e. mail, web etc),
> then set Snort to look for traffic OTHER than this.
> This will give you an
> indication of someone messing around.
>
> Create some rules to check for odd types of traffic
> such as UDP traffic,
> fragmented traffic, ICMP traffic etc. This can help
> flag down problems on
> the network, someone snooping around, trojans etc.
>
> Also, set your Snort sensor to alert you whenever
> internal server names, IP
> addresses, database names, application names, and
> names of private
> directories etc appear in OUTGOING packets. Normally
> you don't want internal
> data like this going out for the whole world to see.
>
>
>
> Paul Sheahan
> Manager of Information Security
> Priceline.com
> paul.sheahan () priceline com
>
>
>
> -----Original Message-----
> From: Chris Eidem [mailto:ceidem () Dexma com]
> Sent: Wednesday, April 10, 2002 11:44 AM
> To: Snort Users Listserv (E-mail)
> Subject: [Snort-users] Thoughts on internal vs.
> external IDS rulesets
>
>
> Hey y'all,
>
> I'm in the process of reworking my rulesets for the
> sensors that I have
> on my network.  What I would like to know from
> anyone who cares to
> answer is, "what is the difference between your
> internal and external
> sensors?"
>
> Basically, I'm running (pretty much, anyway) the
> standard rulesets that
> come with snort on the external sensor and a
> modified local.rules that
> takes out a lot of the false positives for any
> internal activity on my
> internal sensors.  I'm not really running that many
> special rules and I
> have a feeling that perhaps I need to.  
>
> By way of an example, I have a couple of rules
> looking for outbound tftp
> (CR and Nimda) and a couple of others for keeping
> track of users so that
> they don't run programs that cause problems for me
> (i.e. make my pager
> go off at 0300 because someone decided to run a PtP
> sharing proggie.
> They're walking funny now, thanks for asking...).
>
> What do y'all look for running around in your
> network?  Virii?  PtP
> programs?  Outbound unauthorized connections? 
> Anything I haven't
> mentioned?
>
> TIA,
>  - chris
>
> Chris Eidem                        Dexma, Inc.
> Network Administrator              7701 York Av. S.
> Phone: 952.229.1311                Edina, MN 55435
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
Alwin Raymundo

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users