Snort mailing list archives
Re: only the "important stuff"
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 27 Oct 2004 08:03:49 +1300
On Tue, Oct 26, 2004 at 09:34:56AM -0700, Steven Crandell wrote:
This morning the president of the co. has asked that he -not- receive the day to day alerts and would only like to receive alerts on "successful" intrusions. Are there certain rules that would never be triggered unless someone actually gets into a monitored system? Or anything along those lines?
It can be done - but it depends how well you can define/control the activities of "monitored systems". What we do here is have Snort monitoring our DMZes and WAN links - which generates tonnes of logs (via the "alert tcp ..." rules). As far as Internet attacks go, there is nothing you can do about them (i.e. you don't control the src IP), so - like your president wants - there's no point in converting those logs into alerts (meaning notifying someone). However, if Snort logs an event *from* an internal address - that's a different matter. Typically it means you have a trojan-infected Windows box on your WAN - and you can do something about that - so convert it into an alert. Similarly, DMZ hosts are well defined as far as initiating outgoing traffic goes: they can be DNS/SMTP/whatever servers - but besides such traffic (plus exceptions such as AV/Windows/up2date/yum updates), they shouldn't be seen to be initiating any other outgoing connections. So write some Snort rules that trigger whenever that occurs. We do that here, and it works plenty-fine :-) We know it works as we have issues with certain IS SysAdmins logging into the consoles of DMZ servers and going out on the Internet to get some package/whatever - and alerts get generated all over the place ;-) So the theory is that if someone broke into one of our DMZ hosts, the moment they *attempt* to make an outgoing connection (say to download a rootkit or the likes), the NIDS will alert - irrespective of whether or not the connection matches a standard Snort rule. Effectively its anomoly detection instead of pattern-matching. Usually anomoly detection is hard to do (suffers from FP), but in a well defined and controlled environment like DMZs - it can work. It's all about defining your scope WRT IDS and alerting to match your environment. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- only the "important stuff" Steven Crandell (Oct 26)
- Re: only the "important stuff" Jason Haar (Oct 26)
- <Possible follow-ups>
- RE: only the "important stuff" SN ORT (Oct 26)
- RE: only the "important stuff" M. Shirk (Oct 26)
- RE: only the "important stuff" Jacques Brierre (Oct 26)
- RE: only the "important stuff" Orit Vidas (Oct 26)