Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Step #1 Set the Network Variables

From: Marcin Dulak via Snort-users <snort-users () lists snort org>
Date: Wed, 4 Oct 2017 13:18:36 +0200
On Wed, Oct 4, 2017 at 12:29 PM, Dan O'Brien via Snort-users <
snort-users () lists snort org> wrote:


Good morning Snort Users,



In my quest to have a configured NIDS, I realized I may have put the cart
before the horse during setup.  I used a guide to setup my system and I am
trying to learn as I go.  Yesterday, in researching the http_inspect
preprocessor, I happened to open the snort.conf and realized I may have
suppressed some rules instead of setting up some of the primary settings.
Instead of just suppressing rule 120/3, I would like to try to properly
setup snort.



For example, I run Pi-hole on my network.  Pi-hole is a DNS
cache/forwarder.  Would it help with some of the false positives I am
getting if I defined my DNS servers under ipvar DNS_SERVERS?  I currently
have “ipvar DNS_SERVERS $HOME_NET”



snort rules are not consistent in the usage of the variables. Go over all
your active rules and verify they contain any variables relevant for your
case.

Best regards,

Marcin





Same with the “ipvar HTTP_SERVERS $HOME_NET”.  I have a Nagios/nconf
health monitoring server on my network.  Should the ipvar HTTP_SERVERS
include that ip instead of the entire network?



Multiple examples of this:

1.       I have a SMTP Transfer program for sending emails

2.       Multiple Linux boxes/routers with ssh



Same thing with portvar.  Should I limit HTTP_PORTS to only those in use
by my webservers?



I am afraid of limiting snort too much and making it ineffective.



Thanks in advance.



Thanks,
Dan

"Better is a poor man who walks in his integrity than a rich man who is
crooked in his ways." - Proverbs 28:6



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: