[Snort-users] Eliminating rulesets

Jeff Elkins jeff at ...4830...
Sat Feb 9 18:31:04 EST 2002


Thanks Phil :)

(six-pack of  virtual Beck's dark for you :)

Jeff


On Saturday 09 February 2002 08:11 pm, Phil Wood wrote:
> Hmm,
>
> On Sat, Feb 09, 2002 at 07:26:41PM -0500, Jeff Elkins wrote:
> > Thanks.
> >
> > I'll research invert before I repost. Wouldn't want to make someone drink
> > an extra beer :)
>
> % dict invert
>        v 1: make an inversion (in a musical composition); "here the
>             theme is inverted"
>        2: turn inside out or upside down [syn: {reverse}]
>
> What I meant to say was fix up a rules file which looks for attacks going
> out from your site.  An easy way would be to:
>
>  % sed -e 's/EXTERNAL_NET/XXX_NET/' -e 's/HOME_NET/EXTERNAL_NET/' <
> web-iis.rules | sed -e 's/XXX_NET/HOME_NET/' > inverted-web-iis.rules
>
> But, check the contents of your {EXTERNAL|HOME}_NET variables first.
>
> Also, take another look at the various web alerts that triggered.  You
> might see Forbidden or Connection closed ..., etc.
>
> Or, is that another beer...
>
> > Jeff
> >
> > On Saturday 09 February 2002 06:08 pm, you wrote:
> > > On Sat, Feb 09, 2002 at 01:42:42PM -0500, Jeff Elkins wrote:
> > > > I'm not trying to promote alcohol usage, but I have a newbie
> > > > question:
> > > >
> > > > I'm evaluating Snort on a Linux DSL/firewall box that also serves as
> > > > a mail server and webserver (Sendmail/Apache).  The boxen inside the
> > > > firewall are all Linux as well. I've commented out the
> > > > Microsoft-specific rulesets (IIS,Frontpage and Cold Fusion). Other
> > > > than statistics gathering, is there any reason I'd want them applied?
> > >
> > > You might want to invert them.
> > >
> > > > I was getting a _bunch_ of IIS alerts before I turned them off, btw.
> > > >
> > > > Thanks,
> > > >
> > > > Jeff Elkins
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list