[Snort-users] rules precision

Blake Frantz blake at ...395...
Wed Oct 11 13:46:41 EDT 2000


It really depends on the mechanics of your network, how anal you want to
be, and how many false positives you feel like investigating.

The first step would be to define which activity is 'suspect', and design
your rules around that.  Keep in mind that there are many rules where it
would appropriate to ignore your internal network -  ie. port 137/139
traffic.  

You might also concider subnetting or segmenting your internal network, in
effect seperating those machines that have public interface from those
without (a DMZ of sorts).  Drop a linux box between the segments and snort
for 'suspect' packets traversing the segments.

That's my two...

Blake Frantz


On Wed, 11 Oct 2000, Raphael Bauduin wrote:

> Hi!
> 
> Here's how I'd like to use snort:
> we have a private LAN (192.168) and I want to verify that there are no 
> suspect activities on it. But a lot of suspect activity could come from a 
> machine on the LAN. (some machines have a   public interface. So if an 
> intruder cracks one of the machines with a public IP, he will try to go 
> further on the private LAN and the suspect activity will come from HOME_NET)
> 
> My question is: I see a lot of rules that specify "from !HOME_NET". I suppose 
> that if the suspect activity comes from a machine on my private lan, it won't 
> be detected... Is it usefull to rewrite all rules so they match "from 
> HOME_NET"? Where can I look for rules usefull for my specific needs?
> 
> Thanks from your advices!
> 
> Raph
> 
> -- 
> -- 
>               ---------------------------------- 
>              |  -�)                        (�-  |
>              |  /\\     Linux for ever     //\  |
>              | _\_v                        v_/_ |
>               ---------------------------------- 
> 
>    If windows is the answer, it must have been a stupid question.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list