Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Configuration questions-snort multiple instances

From: wkitty42 () windstream net
Date: Tue, 2 May 2017 12:11:01 -0400
On 05/02/2017 10:27 AM, Stanford Prescott wrote:

Is it necessary to define the DNS_SERVERS for the LAN interfaces?


yes if any rules are used that need the DNS_SERVERS variable defined... a quick

grep -E -e "DNS_SERVERS" /var/smoothwall/snort/*rules*/*.rules | wc -l

of my sensor's installation shows 29 rules using that variable... of those, 21 
are disabled...

FWIW: i would keep the DNS_SERVERS defined to the internal LAN IP for that 
interface specifically to be able to catch internal machines attempting these 
lookups that are indicators of malfeasance...


this grep will show you the enabled rules that have DNS_SERVERS defined in 
them... some are research scanners (in my local.rules), some are conficker 
detections, some are DoS packet related, some are looking for DNS cache poisoning...

grep -E -e "^[^#].*DNS_SERVERS" /var/smoothwall/snort/*rules*/*.rules


2. Each snort instance has its own rule sets. One of these is the Talos
reputation IP blacklists. Should the internal LAN instances of snort also
have access to the public IP addresses provided by the Talos IP blacklists
since the internal LANs really only use private IP addresses?


the internals LANs may use only RFC1918 address but they make requests to WAN 
IPs as well... yes, blacklists and whitelists are a GoodThing<tm> to consider on 
the LAN interfaces... especially to prevent from and determine which internal 
systems are attempting to contact those blacklisted IPs... especially if those 
internal systems are trying to exfiltrate personal or corporate information...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: