Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Step #1 Set the Network Variables

From: Paul O'Brien via Snort-users <snort-users () lists snort org>
Date: Wed, 4 Oct 2017 08:50:45 -0400
I apologize, I use pulled pork for rules. I have over 30,000 active rules according to pulled pork. I realize that 
might be excessive for a home network but reviewing 30,000 rules seems like it might be the reason people just suppress 
noisy rules. Any other suggestions?

Thanks,
Dan

"Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6

Sent from my iPhone


On Oct 4, 2017, at 7:18 AM, Marcin Dulak <marcin.dulak () gmail com> wrote:




On Wed, Oct 4, 2017 at 12:29 PM, Dan O'Brien via Snort-users <snort-users () lists snort org> wrote:
Good morning Snort Users,

 

In my quest to have a configured NIDS, I realized I may have put the cart before the horse during setup.  I used a 
guide to setup my system and I am trying to learn as I go.  Yesterday, in researching the http_inspect preprocessor, 
I happened to open the snort.conf and realized I may have suppressed some rules instead of setting up some of the 
primary settings.  Instead of just suppressing rule 120/3, I would like to try to properly setup snort.

 

For example, I run Pi-hole on my network.  Pi-hole is a DNS cache/forwarder.  Would it help with some of the false 
positives I am getting if I defined my DNS servers under ipvar DNS_SERVERS?  I currently have “ipvar DNS_SERVERS 
$HOME_NET”



snort rules are not consistent in the usage of the variables. Go over all your active rules and verify they contain 
any variables relevant for your case.

Best regards,

Marcin
 

 

Same with the “ipvar HTTP_SERVERS $HOME_NET”.  I have a Nagios/nconf health monitoring server on my network.  Should 
the ipvar HTTP_SERVERS include that ip instead of the entire network?

 

Multiple examples of this:

1.       I have a SMTP Transfer program for sending emails

2.       Multiple Linux boxes/routers with ssh

 

Same thing with portvar.  Should I limit HTTP_PORTS to only those in use by my webservers?

 

I am afraid of limiting snort too much and making it ineffective. 

 

Thanks in advance.

 

Thanks,
Dan

"Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6


 


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: