Snort mailing list archives

RE: Getting more paranoid by the minute. :-/

From: "Romulo M. Cholewa" <rmc () rmc eti br>
Date: Sat, 24 Apr 2004 23:50:18 -0300

As Paul mentioned, paranoia is a good thing ;D

But keep in mind that snort won't "protect" your customer. It will help
in that effort. It's a tool, like many others, that, if properly set up,
will do a small amount of things that when put together with other
tools, will help you build up a secure environment.

I would like to suggest that you look at the security as a process, not
as a bunch of tools. Maybe I didn't interpret correctly your phrase, but
the idea behind the... 

"It's important that I do it right, or their customer's sensitive data
will be compromised"

... seems like you are relying on snort for the task. I won't go further
this way, but I would like to recommend Schneier's book, Digital
Security in a Networked World.

If you were hired to employ *only* snort sensors, you can't think that
only the sensors will keep the potential risk out of the network. It
will only warn you, if properly configured, when someone attempts to
brake in. Concerning to deploying an IDS, keep in mind that reducing the
number of false alerts is a nice goal to pursue.

Also, try to work as close as possible to the guys doing the system
hardening and implementation. They can tell you what are their goals, so
you can screen the snort setup better.

Romulo M. cholewa
Home: http://www.rmc.eti.br
News: http://www.rmc.eti.br/news
PGP key id 0x7F8A3B40





] -----Original Message-----
] From: snort-users-admin () lists sourceforge net 
] [mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
] Shaun T. Erickson
] Sent: Saturday, April 24, 2004 10:36 PM
] To: snort-users () lists sourceforge net
] Subject: [Snort-users] Getting more paranoid by the minute. :-/
] 
] 
] As I mentioned in an earlier post, I've been hired to set up several 
] snort servers for a client. It's important that I do it 
] right, or their 
] customer's sensitive data will be compromised.
] 
] The more I read Syngress Snort 2.0 book (I'm in chapter 5), 
] the more I 
] understand that there are an endless number of attacks out there. I'm 
] concerned that my lack of knowledge will let an attacker at 
] the data. I 
] can't let that happen.
] 
] How can I possibly learn enough, quickly enough, to write all 
] the rules 
] to protect my client, when I don't even know all the attacks and 
] exploits that are out there?
] 
] I understand that snort comes with a standard set of rules, 
] that I can 
] update off the net, to stay current. Is this standard set of 
] rules going 
] to be enough to protect my client, initially, as I continue 
] to learn snort?
] 
] I'm trying to absorb as much as I can, as fast as I can, but 
] they need 
] this installed NOW, and I'm just concerned that my ignorance, 
] as I come 
] up to speed, not cost them everything.
] 
] Advice? Suggestions? Valium? Please.
] 
]       -ste
] 
] 
] -------------------------------------------------------
] This SF.net email is sponsored by: The Robotic Monkeys at 
] ThinkGeek For a limited time only, get FREE Ground shipping 
] on all orders of $35 or more. Hurry up and shop folks, this 
] offer expires April 30th! 
] http://www.thinkgeek.com/freeshipping/?cpg=12297
] _______________________________________________
] Snort-users mailing list
] Snort-users () lists sourceforge net
] Go to this URL to change user options or unsubscribe: 
] https://lists.sourceforge.net/lists/listinfo/snort-users
] Snort-users list archive: 
] http://www.geocrawler.com/redir-sf.php3?list=snort-users
] 


-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Getting more paranoid by the minute. :-/, (continued)
- - - Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
  - Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
  - Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
    - Re: Getting more paranoid by the minute. :-/ Demetri Mouratis (Apr 24)
    - Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
    - Re: Getting more paranoid by the minute. :-/ Alejandro Flores (Apr 25)
- RE: Getting more paranoid by the minute. :-/ Jim Hendrick (Apr 25)
- Re: Getting more paranoid by the minute. :-/ AJ Butcher, Information Systems and Computing (Apr 26)
- Re: Getting more paranoid by the minute. :-/ Andreas (Apr 26)
  - Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 26)
- RE: Getting more paranoid by the minute. :-/ Romulo M. Cholewa (Apr 24)
  - Re: Getting more paranoid by the minute. :-/ Shaun T. Erickson (Apr 24)
- RE: Getting more paranoid by the minute. :-/ Donofrio, Lewis (Apr 26)
- Re: Getting more paranoid by the minute. :-/ Corey Rock (Apr 29)