Step #1 Set the Network Variables

[Dan O'Brien via Snort-users <snort-users () lists snort org>]

Good morning Snort Users,

 

In my quest to have a configured NIDS, I realized I may have put the cart
before the horse during setup.  I used a guide to setup my system and I am
trying to learn as I go.  Yesterday, in researching the http_inspect
preprocessor, I happened to open the snort.conf and realized I may have
suppressed some rules instead of setting up some of the primary settings.
Instead of just suppressing rule 120/3, I would like to try to properly
setup snort.

 

For example, I run Pi-hole on my network.  Pi-hole is a DNS cache/forwarder.
Would it help with some of the false positives I am getting if I defined my
DNS servers under ipvar DNS_SERVERS?  I currently have "ipvar DNS_SERVERS
$HOME_NET"

 

Same with the "ipvar HTTP_SERVERS $HOME_NET".  I have a Nagios/nconf health
monitoring server on my network.  Should the ipvar HTTP_SERVERS include that
ip instead of the entire network?

 

Multiple examples of this:

1.       I have a SMTP Transfer program for sending emails

2.       Multiple Linux boxes/routers with ssh

 

Same thing with portvar.  Should I limit HTTP_PORTS to only those in use by
my webservers?

 

I am afraid of limiting snort too much and making it ineffective.  

 

Thanks in advance.

 

Thanks,
Dan

"Better is a poor man who walks in his integrity than a rich man who is
crooked in his ways." - Proverbs 28:6



 

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!