Snort mailing list archives

Re: Where do I go from here

From: Richard Bejtlich <taosecurity () gmail com>
Date: Tue, 15 Nov 2005 20:26:37 -0500

Timothy A. Holmes wrote:

So, I guess the next question is what is the next step?

To summarize, I have a SNORT box up and sniffing on the inbound line
between the Cable Modem and the Firewall.  The management port is inside
the firewall and has an IP on it while the sniffing port is outside the
firewall and does not have one.

I am logging to a mysql database, and running base for reporting.

As of the last check, I have received about 4500 alerts today, here is
the breakdown from base on them

I guess I need to know what to do next and how to begin utilizing this
data to better protect my network

Anyone who can help, or point me to the proper resources would be
greatly appreciated


Hi Tim,

I have one brief suggestion and one more involved suggestion.

The brief suggestion is to consider eventually deploying Barnyard with
Snort and MySQL.  It is a bad idea to have Snort log alerts directly
to a database.  As a single threaded application, Snort blocks every
time it does a MySQL INSERT.  That means packets are likely to be
dropped while Snort waits on the INSERT.  With Barnyard, Snort writes
alerts to unified output and Barnyard handles the INSERT.

The more involved suggestion addresses your "what to do next"
question.  Like most people who use Web-based alert browsers, you're
wondering "Now what?"  You have a slew of alerts (4500 you said?) and
no idea what to do with them.  You also most likely have no other data
to query other than what Snort provides in alert format.

It has been my experience that alert data is seldom sufficient to
detect and respond to intrusions.  Network security monitoring (NSM),
however, uses alerts as the *beginning* of an investigation, and not
the end result.  Those who practice NSM use alert data as an initial
indicator for further investigation of possible security events.

NSM analysts may begin with alerts, but then they turn to session,
full content, and/or statistical data for greater insight into network
events.

I have written about NSM extensively, and how you can have greater
success using network-based open source tools to detect and respond to
intrusions.  [0]  You may find the online chapters from my first book
will help direct your investigation, so I will not repeat that advice
here.

Sincerely,

Richard
http://www.taosecurity.com

[0] http://www.taosecurity.com/books.html


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Where do I go from here Timothy A. Holmes (Nov 15)
- <Possible follow-ups>
- RE: Where do I go from here Briggs, Bruce (Nov 15)
  - RE: Where do I go from here Lee Clemens (Nov 15)
- RE: Where do I go from here Briggs, Bruce (Nov 15)
- Re: Where do I go from here Richard Bejtlich (Nov 15)