Snort mailing list archives
RE: Making Snort Rules More "Sensitive"
From: "D@7@K|N&" <dataking () cox net>
Date: Tue, 17 Jun 2003 08:50:38 -0700
I would say start looking at the alerts that you DO get for one. Second, I would say that you should bring up a small tcpdump box. Something with a big hard-drive, a fast network card (and that's about it). Set up some regular tcpdumps during normal working hours, and other times ("hacker popular times") and then examine the data that you get from the dump box. Look at the data that you are actually receiving/sending, compare that to what you are already filtering for, and go from there. Also, examine the possibility (if not already in place) of setting up an "inward looking" IDS. The "bad guys" can be on the inside just as easily as they can be on the outside. Finally, know what is on your network. If you don't have a webserver, you may not need web server rules, etc. Other than that, I think we would need to know what you already have in place to be able to make suggestions. Good luck. -the dataking -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Rich Lichvar Sent: Tuesday, June 17, 2003 8:27 AM To: Snort Users List (E-mail) Subject: [Snort-users] Making Snort Rules More "Sensitive" 1. I'm a Snort (and pretty much Linux/Unix) newbie. Just getting back into this after several months hiatus. 2. We got dinged in a security audit last year about our IDS rules (Snort) not being "sensitive enough" and were told we needed to raise (lower?) the sensitivity thresholds. Okay, if some one can tell me where to start looking to accomplish this, I'd really appreciate the help. Richard L. Lichvar Director, Operations Knowledge Resource Center, Inc. Phone: 703-848-2100 x228 Fax: 703-848-4747 Mobile: 571-221-3430 ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Making Snort Rules More "Sensitive" Rich Lichvar (Jun 17)
- Re: Making Snort Rules More "Sensitive" Erek Adams (Jun 17)
- RE: Making Snort Rules More "Sensitive" D@7@K|N& (Jun 17)
- RE: Making Snort Rules More "Sensitive" D@7@K|N& (Jun 17)
- <Possible follow-ups>
- RE: Making Snort Rules More "Sensitive" L. Christopher Luther (Jun 17)
- Re: Making Snort Rules More "Sensitive" Erek Adams (Jun 17)