Snort mailing list archives
Re: Everything working what next
From: k vijay sai prashanth <vijaysaiprashanth () gmail com>
Date: Thu, 29 Nov 2012 19:24:39 +0530
Okay. Thats very informative. Sorry again if my question was too basic. Just want to be clear on a fundamental level. So for example, I have suppressed ICMP rules from internal systems to avoid false positives and if some of my internal hosts were compromised and a DDOS was launched form our internal systems, Now that I've suppressed ICMP alerts from these hosts I am in danger right? How can I write suppress rules keeping such situations in mind? Is there a way to suppress alerts upto a certain number and if that threshold is crossed then raise an alert? Regards, Prashanth On Thu, Nov 29, 2012 at 7:48 AM, waldo kitty <wkitty42 () windstream net>wrote:
On 11/28/2012 16:52, k vijay sai prashanth wrote:I did google it actually, Got very very vague responses. I posted here as everyone here uses Snort and will have clarity on their purpose of usage.the main thing is to see the traffic on your network and that coming into and going out of it... for instance, if you have a local policy of no P2P apps, it is possible that a snort signature may alert on this type of traffic so that you can put a stop to it...Also if I may ask why do we need an IDS when there is already a firewallinplace?firewalls can easily be breached... for example, if you have a web server running inside your network that is open to the public on the WAN... with snort you can sniff the traffic and see if anything untoward is going on... one for instance would be if your web server runs a forum software package... you could tell if some automated critter was beating on your forum and trying to force a bogus spammy signup...All the traffic I see in my logs are all internal traffic. What kind of threats am I looking at from internal traffic?internal machine can easily be infested if they visit external web sites... one only has to look at the iframe mess that's out there spreading blackhole and other kits... pdf and java also bring threats... if something gets loose inside, don't you want to know about it hopefully before it infests other machine on your network?Regards, Prashanth On Thu, Nov 29, 2012 at 3:14 AM, Ron Sinclair <unixfool () gmail com <mailto:unixfool () gmail com>> wrote: Analyze the logged data to determine if there are any system/network breaches. Noisy signatures can be commented out or tuned/filtered. Sometimes the logs can point out a misconfiguration that, whilenot anactual breach, can assist in fixing the issue. Also, each network is different, so we won't be able to tell you what you should be seeingandhow/if you should disable signatures. We might be able to assist ifyou'vea question about a particular piece of traffic, but you'll have toprovidethe pcap. Sometimes, just being able to compare the PCAP agains theruleitself is enough to determine the nature of logged traffic.Sometimes ittakes awhile to research. It depends on what's being logged. I'm not sure if it's outside of the scope of this group or not, butusingGoogle usually helps. On Wed, Nov 28, 2012 at 4:06 PM, k vijay sai prashanth <vijaysaiprashanth () gmail com <mailto:vijaysaiprashanth () gmail com>>wrote:Hello All, I have setup snort barnyard2 after a lot of pain. I even setupan Aanvalfront end. I now have events being logged and stored. I just have one question. What do I do with all the logs and alerts? What kind of analysis and reporting should I be doing? I hope this part is not out of scope for this group. Regards, Prashanth------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: VERIFY Test and improve your parallel project with help from experts and peers. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: VERIFY Test and improve your parallel project with help from experts and peers. http://goparallel.sourceforge.net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Everything working what next k vijay sai prashanth (Nov 28)
- Re: Everything working what next Ron Sinclair (Nov 28)
- Re: Everything working what next k vijay sai prashanth (Nov 28)
- Re: Everything working what next waldo kitty (Nov 28)
- Re: Everything working what next k vijay sai prashanth (Nov 29)
- Re: Everything working what next waldo kitty (Nov 29)
- Re: Everything working what next k vijay sai prashanth (Nov 28)
- Re: Everything working what next Ron Sinclair (Nov 28)