[Snort-users] Reversing Snort

Terry Schmidt terry at ...2227...
Mon Jun 11 14:16:50 EDT 2001

I'm working with the free wireless communities (www.seattlewireless.net
www.personaltelco.net www.bawug.org www.nycwireless.net) to add IDS
functions to the Access Point Gateway machines.  One of the problems that we
face is people trying to do illegal and abusive activities on this free
public network, and trying to prevent this without making the network
difficult to use.

What we are currently experimenting with using Snort on the Access Point
Gateway, and reversing the rules to watch the outgoing traffic, instead of
the incoming traffic for "bad traffic".  I'm currently using 982 Snort
rules.  After the testing is done, we will add the functionality of Guardian
to the firewall rules, to shut down abusive users upon detection.  So far it
looks like Snort will fill the need perfectly, but detecting "bad traffic"
and shutting down that IP address (with Guardian).

Some of the issues that have come up:

1.    False Positives on Port Scan Detection - What is the ideal setting for
the Port Scan Preprocessor to not catch any false positives, but still catch
people doing port scans.  I currently have it set as (where $HOME_NET =
preprocessor portscan: $HOME_NET 10 3 portscan.log
and this gives less false positives than the default "4 3" setting, but
still gives false positives.

2.    Rule set to use for outgoing - I've been trying to narrow down what
rules set should be used for this type of environment, reducing false
positives, such as 'WEB-MISC ICQ Webfront HTTP DOS', 'WEB-IIS view source
via translate header'.  Does anyone have any recommendations on how to
narrow down the rules to be used on this type of installation?  My current
thoughts are just to drop a snort box on a network with 'good' user traffic,
and comment out all the rules that give false positives.

Also if anyone has any advice or comments on using Snort for this purpose,
please let me know.

Thanks for any help in advance,

--Terry        www.nycwireless.net

More information about the Snort-users mailing list