Re: Questions with this Snort IPS setup

[Ricky Huang <rhuang.work () gmail com>]

On Mar 12, 2013, at 8:36 AM, waldo kitty <wkitty42 () windstream net> wrote:

> On 3/11/2013 18:21, Ricky Huang wrote:
> > I have questions on a couple of things:
> > 1) With ipfw divert all traffic through Snort, if Snort dies for any reason, I
> > will be effectively locked out. What's the standard practice to leave one with a
> > backdoor to get back to the remote server?
>
> third NIC for administration?
>
> > 2) A quick search through pulledpork-updated snort.rules shows that there aren't
> > any drop rules; they're all alerts. Is there a standard set of drop rules for an
> > IPS?
>
> the list just went thru this a little while back... all distributed rules are 
> alerts... if you need them as drops, then you need to tell your rules management 
> software which ones to change to drop so it will do it each time it updates the 
> rules... oinkmaster uses modifysid options in a config file... pulledpork has a 
> similar functionality but i think you list the sid of the rule in a specific 
> file to get the edit... not sure as i don't use pulledpork (yet??)

I just signed on the list a few weeks ago so I am not aware of the thread you mentioned.  Thanks for the pointer I'll 
look into it in Pulledpork docs.


> > 3) Are there ways of creating email alerts such that the admin staff receives
> > alert emails on certain events?
>
> this would be something that your reporting tools would handle…

Thanks for the suggestions Waldo Kitty, do you have examples of such reporting tools?  Or what do you guy use?  i'd 
like to get an idea on where/how to start looking.

> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
> endpoint security space. For insight on selecting the right partner to 
> tackle endpoint security challenges, access the full report. 
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!