Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Rules optimization

From: "Vuppala, Vijaybhasker (EM, GECIS)" <Vijaybhasker.Vuppala () geind ge com>
Date: Fri, 20 Jun 2003 02:44:33 -0400
Few questions

1. I have multiple subnets in the segment where i'm monitoring the data. is
it possible to add multiple segments in HOME_NET
2. if i add my subnets to HOME_NET, will it be able to capture both attaks
coming into my network as well as attaks being generated from my Network.
I'm basically monitoring company's internal network and interested in both.

Regards,
Vijay

-----Original Message-----
From: Erek Adams [mailto:erek () snort org]
Sent: Wednesday, June 18, 2003 10:50 PM
To: Vuppala, Vijaybhasker (EM, GECIS)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Rules optimization


On Wed, 18 Jun 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:


I have used Snort ver 1.8.7 on Redhat Linux 7.3 with Default Rules

provided

[...snip...]

You need to upgrade.  Versions <=1.9.1 have a nasty remotely exploitable
hole in them.

As for rule tuning, it sounds like you don't have the HOME_NET and
EXTERNAL_NET variables set correctly.  HOME_NET should be set to the
network you want to "watch", and EXTERNAL_NET should be everything else.
So if your network was 10.10.10.0/24:

        var HOME_NET 10.10.10.0/24
        var EXTERNAL_NET !$HOME_NET

With those settings it should reduce the number of false postives you get.

As for tuning, you simply have to get Snort setup and working, and then
examine each and every alert.  You have then decide if the packets are
'normal' or not.  You'll discover things that you need to setup pass rules
for, add BPF filters or add a rule for.  Something like Ntop [0] is very
helpful in this respect to get a nice 'overview' of your networks traffic.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.ntop.org/


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: