Re: Getting more paranoid by the minute. :-/

[Alejandro Flores <alejandro.flores () triforsec com br>]

        Hello,

> Somewhat unrelated question: Once I set this up, how much time should I 
> expect to have to spend on it daily? They want me to do other stuff, 
> like install tripwire and host-based firewalls on all the servers, run 
> nessus against everythig and deal with the results, set up a new mail 
> server, and a myriad of other normal SysAdmin tasks. I certainly hope 
> that Snort doesn't require a lot of care and feeding every day ... but I 
> don't know enough yet to be able to judge that.

        After install, you should properly configure snort to your network. I
mean, configure the Variables correctly (HOME_NET, HTTP_SERVERS...) so
you can get more accuracy from snort. As you said that they will run
webapps, configure very carefully the http_inspect preprocessor. This
will reduce the false positivies.
        Check this article on securityfocus about SQL Injection and XSS:
        http://www.securityfocus.com/infocus/1768
        I don't like to log the alerts directly from snort to database. I
prefer to log to the Unified output, and run barnyard to read this log
and send the alerts to the database. This way, you can schedule a job,
transfer the logs to a central, and correlate the data.
        After setup, the first days will be learning days. You'll discover how
the internet likes your network, and things like CodeRed and MS-SQL WORM
are still alive. 

Have fun!
Alejandro Flores




--TriForSec
http://www.triforsec.com.br/