Snort mailing list archives

Re: Everything working what next

From: k vijay sai prashanth <vijaysaiprashanth () gmail com>
Date: Thu, 29 Nov 2012 19:24:39 +0530

Okay. Thats very informative. Sorry again if my question was too basic.
Just want to be clear on a fundamental level.

So for example, I have suppressed ICMP rules from internal systems to avoid
false positives and if some of my internal hosts were compromised and a
DDOS was launched form our internal systems, Now that I've suppressed ICMP
alerts from these hosts I am in danger right? How can I write suppress
rules keeping such situations in mind? Is there a way to suppress alerts
upto a certain number and if that threshold is crossed then raise an alert?

Regards,
Prashanth


On Thu, Nov 29, 2012 at 7:48 AM, waldo kitty <wkitty42 () windstream net>wrote:

On 11/28/2012 16:52, k vijay sai prashanth wrote:

I did google it actually, Got very very vague responses. I posted here as
everyone here uses Snort and will have clarity on their purpose of usage.


the main thing is to see the traffic on your network and that coming into
and
going out of it... for instance, if you have a local policy of no P2P
apps, it
is possible that a snort signature may alert on this type of traffic so
that you
can put a stop to it...

Also if I may ask why do we need an IDS when there is already a firewall

in

place?


firewalls can easily be breached... for example, if you have a web server
running inside your network that is open to the public on the WAN... with
snort
you can sniff the traffic and see if anything untoward is going on... one
for
instance would be if your web server runs a forum software package... you
could
tell if some automated critter was beating on your forum and trying to
force a
bogus spammy signup...

All the traffic I see in my logs are all internal traffic. What kind of
threats am I looking at from internal traffic?


internal machine can easily be infested if they visit external web
sites... one
only has to look at the iframe mess that's out there spreading blackhole
and
other kits... pdf and java also bring threats... if something gets loose
inside,
don't you want to know about it hopefully before it infests other machine
on
your network?


Regards,
Prashanth


On Thu, Nov 29, 2012 at 3:14 AM, Ron Sinclair <unixfool () gmail com
<mailto:unixfool () gmail com>> wrote:

    Analyze the logged data to determine if there are any system/network
    breaches.  Noisy signatures can be commented out or tuned/filtered.
      Sometimes the logs can point out a misconfiguration that, while

not an

    actual breach, can assist in fixing the issue.  Also, each network is
    different, so we won't be able to tell you what you should be seeing

and

    how/if you should disable signatures.  We might be able to assist if

you've

    a question about a particular piece of traffic, but you'll have to

provide

    the pcap.  Sometimes, just being able to compare the PCAP agains the

rule

    itself is enough to determine the nature of logged traffic.

 Sometimes it

    takes awhile to research.  It depends on what's being logged.

    I'm not sure if it's outside of the scope of this group or not, but

using

    Google usually helps.


    On Wed, Nov 28, 2012 at 4:06 PM, k vijay sai prashanth
    <vijaysaiprashanth () gmail com <mailto:vijaysaiprashanth () gmail com>>

wrote:


        Hello All,

        I have setup snort barnyard2 after a lot of pain. I even setup

an Aanval

        front end. I now have events being logged and stored.

        I just have one question.

        What do I do with all the logs and alerts?

        What kind of analysis and reporting should I be doing?

        I hope this part is not out of scope for this group.

        Regards,
        Prashanth





------------------------------------------------------------------------------
Keep yourself connected to Go Parallel:
VERIFY Test and improve your parallel project with help from experts
and peers. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
VERIFY Test and improve your parallel project with help from experts 
and peers. http://goparallel.sourceforge.net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Everything working what next k vijay sai prashanth (Nov 28)
- Re: Everything working what next Ron Sinclair (Nov 28)
  - Re: Everything working what next k vijay sai prashanth (Nov 28)
    - Re: Everything working what next waldo kitty (Nov 28)
    - Re: Everything working what next k vijay sai prashanth (Nov 29)
    - Re: Everything working what next waldo kitty (Nov 29)