Snort mailing list archives
Step #1 Set the Network Variables
From: Dan O'Brien via Snort-users <snort-users () lists snort org>
Date: Wed, 4 Oct 2017 06:29:33 -0400
Good morning Snort Users, In my quest to have a configured NIDS, I realized I may have put the cart before the horse during setup. I used a guide to setup my system and I am trying to learn as I go. Yesterday, in researching the http_inspect preprocessor, I happened to open the snort.conf and realized I may have suppressed some rules instead of setting up some of the primary settings. Instead of just suppressing rule 120/3, I would like to try to properly setup snort. For example, I run Pi-hole on my network. Pi-hole is a DNS cache/forwarder. Would it help with some of the false positives I am getting if I defined my DNS servers under ipvar DNS_SERVERS? I currently have "ipvar DNS_SERVERS $HOME_NET" Same with the "ipvar HTTP_SERVERS $HOME_NET". I have a Nagios/nconf health monitoring server on my network. Should the ipvar HTTP_SERVERS include that ip instead of the entire network? Multiple examples of this: 1. I have a SMTP Transfer program for sending emails 2. Multiple Linux boxes/routers with ssh Same thing with portvar. Should I limit HTTP_PORTS to only those in use by my webservers? I am afraid of limiting snort too much and making it ineffective. Thanks in advance. Thanks, Dan "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Step #1 Set the Network Variables Dan O'Brien via Snort-users (Oct 04)
- Re: Step #1 Set the Network Variables Marcin Dulak via Snort-users (Oct 04)
- Re: Step #1 Set the Network Variables Paul O'Brien via Snort-users (Oct 04)
- Re: Step #1 Set the Network Variables Marcin Dulak via Snort-users (Oct 04)