Re: Please help!!

[Thiago Mello <tmello00 () yahoo com br>]

Hi Henrique,

I think that before you install a IDS you have to know and decide all
servers/routers/hosts that you want to the IDS "protect", so my opnion
is to you draw a schema of your network, with the apropriate services
and SO, and than apply the Snort rules, with that Snort will be able to
use the rules that is for your network.

But you also might want to inspect all the network traffic that will
give you more alerts do analyze.

About the updating automatic of the rules is your option.

Regards,
Thiago Mello

ps: next time you post to this list, you dont have to show the real IP
address, you can fake the Ips in the alert.



On Tue, 2003-10-28 at 06:05, hlima () pbh gov br wrote:
> Hello everyone. I know  I've sent this message before. I'd appreciate an
> answer to my email a lot !
> I've been using SNORT 2.0.0 for a couple of weeks and Oinkmaster
> to update its rules. The reason why I'm writing this email is that I have
> been getting the following same 8 alerts:
>
> 1 - 09/26-11:18:03.541838  [**] [1:483:2] ICMP PING CyberKit 2.2 Windows
> [**] [Classification: Misc activity] [Priority: 3] {ICMP} 200.183.85.231
> -> 200.186.217.147
>
> 2 -10/03-11:06:20.603344  [**] [1:1841:2] WEB-CLIENT javascript URL host
> spoofing a
> ttempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
> {TCP}
> 200.162.176.13:80 -> 200.186.217.173:35854
>
> 3 - 10/03-11:21:23.020325  [**] [1:615:3] SCAN SOCKS Proxy attempt [**]
> [Classificat
> ion: Attempted Information Leak] [Priority: 2] {TCP} 211.216.81.175:1044
> -> 200.
> 186.217.147:1080
>
> 4 - 10/08-18:41:04.295973  [**] [1:2003:2] MS-SQL Worm propagation attempt
> [**] [Cla
> ssification: Misc Attack] [Priority: 2] {UDP} 66.248.98.112:3020 ->
> 200.186.217.
> 146:1434
>
> 5 - 10/08-21:23:02.344940  [**] [1:620:3] SCAN Proxy (8080) attempt [**]
> [Classifica
> tion: Attempted Information Leak] [Priority: 2] {TCP} 68.170.234.106:0 ->
> 200.18
> 6.217.147:8080
>
> 7 - 10/08-21:48:42.671706  [**] [1:618:4] SCAN Squid Proxy attempt [**]
> [Classificat
> ion: Attempted Information Leak] [Priority: 2] {TCP} 68.170.234.106:0 ->
> 200.186
> .217.147:3128
>
> 8 -
> 10/20-07:12:54.320578  [**] [1:485:2] ICMP Destination Unreachable
> (Communicatio
> n Administratively Prohibited)
> [**] [Classification: Misc activity] [Priority: 3] {ICMP} 200.186.217.129
> -> 200
> .186.217.173
>
> My network is big and I THINK I could be getting more alerts.I have
> configured the snort.conf file informing my HOMEnet, the EXTERNAL_NET,
> my DNS and SMTP severs. Have not edited anything else on this file.
> On this same file there are some rules files that are commented out like
> backdoor.rules
> porn.rules
> policy.rules
> chat.rules
> etc
> They were automatically commented out when I installed SNORT 2.0.0
> Still the majority of rules file are enabled.
>
>   Please someone give some suggestion regarding enabling those rules above
> or whether I should inform something else on the snort.conf file.
>   Should I still install the newest SNORT version even having the
> Oinkmaster software updating my rules?
>
> Thanks in Advance
>
> Henrique de Lima




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users