Snort mailing list archives
Re: Where do I go from here
From: Richard Bejtlich <taosecurity () gmail com>
Date: Tue, 15 Nov 2005 20:26:37 -0500
Timothy A. Holmes wrote:
So, I guess the next question is what is the next step? To summarize, I have a SNORT box up and sniffing on the inbound line between the Cable Modem and the Firewall. The management port is inside the firewall and has an IP on it while the sniffing port is outside the firewall and does not have one. I am logging to a mysql database, and running base for reporting. As of the last check, I have received about 4500 alerts today, here is the breakdown from base on them I guess I need to know what to do next and how to begin utilizing this data to better protect my network Anyone who can help, or point me to the proper resources would be greatly appreciated
Hi Tim, I have one brief suggestion and one more involved suggestion. The brief suggestion is to consider eventually deploying Barnyard with Snort and MySQL. It is a bad idea to have Snort log alerts directly to a database. As a single threaded application, Snort blocks every time it does a MySQL INSERT. That means packets are likely to be dropped while Snort waits on the INSERT. With Barnyard, Snort writes alerts to unified output and Barnyard handles the INSERT. The more involved suggestion addresses your "what to do next" question. Like most people who use Web-based alert browsers, you're wondering "Now what?" You have a slew of alerts (4500 you said?) and no idea what to do with them. You also most likely have no other data to query other than what Snort provides in alert format. It has been my experience that alert data is seldom sufficient to detect and respond to intrusions. Network security monitoring (NSM), however, uses alerts as the *beginning* of an investigation, and not the end result. Those who practice NSM use alert data as an initial indicator for further investigation of possible security events. NSM analysts may begin with alerts, but then they turn to session, full content, and/or statistical data for greater insight into network events. I have written about NSM extensively, and how you can have greater success using network-based open source tools to detect and respond to intrusions. [0] You may find the online chapters from my first book will help direct your investigation, so I will not repeat that advice here. Sincerely, Richard http://www.taosecurity.com [0] http://www.taosecurity.com/books.html ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_idv28&alloc_id845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Where do I go from here Timothy A. Holmes (Nov 15)
- <Possible follow-ups>
- RE: Where do I go from here Briggs, Bruce (Nov 15)
- RE: Where do I go from here Lee Clemens (Nov 15)
- RE: Where do I go from here Briggs, Bruce (Nov 15)
- Re: Where do I go from here Richard Bejtlich (Nov 15)