[Snort-users] Eliminating rulesets

Phil Wood cpw at ...440...
Sat Feb 9 17:12:06 EST 2002


Hmm,



On Sat, Feb 09, 2002 at 07:26:41PM -0500, Jeff Elkins wrote:
> Thanks.
> 
> I'll research invert before I repost. Wouldn't want to make someone drink an 
> extra beer :)

% dict invert
       v 1: make an inversion (in a musical composition); "here the
            theme is inverted"
       2: turn inside out or upside down [syn: {reverse}]

What I meant to say was fix up a rules file which looks for attacks going
out from your site.  An easy way would be to:

 % sed -e 's/EXTERNAL_NET/XXX_NET/' -e 's/HOME_NET/EXTERNAL_NET/' < web-iis.rules | sed -e 's/XXX_NET/HOME_NET/' > inverted-web-iis.rules

But, check the contents of your {EXTERNAL|HOME}_NET variables first.

Also, take another look at the various web alerts that triggered.  You
might see Forbidden or Connection closed ..., etc.

Or, is that another beer...

> 
> Jeff
> 
> 
> On Saturday 09 February 2002 06:08 pm, you wrote:
> > On Sat, Feb 09, 2002 at 01:42:42PM -0500, Jeff Elkins wrote:
> > > I'm not trying to promote alcohol usage, but I have a newbie question:
> > >
> > > I'm evaluating Snort on a Linux DSL/firewall box that also serves as a
> > > mail server and webserver (Sendmail/Apache).  The boxen inside the
> > > firewall are all Linux as well. I've commented out the Microsoft-specific
> > > rulesets (IIS,Frontpage and Cold Fusion). Other than statistics
> > > gathering, is there any reason I'd want them applied?
> >
> > You might want to invert them.
> >
> > > I was getting a _bunch_ of IIS alerts before I turned them off, btw.
> > >
> > > Thanks,
> > >
> > > Jeff Elkins
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list