[Snort-users] Any Interest?

tony at ...4540... tony at ...4540...
Thu Jan 17 06:17:03 EST 2002


Well I have a small Win32 Front End (SnortFE - Win32) at my site -
security.scalzitti.org that I just added a save to csv option based on a
date range.  You can bring it into excel or whatever and look at it, make
charts etc.  I will at some point work on making these charts within the
app itself.

As for best practice, I have always done exactly what you are doing.  After
investigating alerts to decide what are false and what are real, I may
disable the entire rule or add a pass rule for a given system. e.g. our MS
proxy servers can create many false positives.  Remember to start snort
with the correct switch so pass rules are done before alert.

As for tools, well nessus it great.  However it runs on *nix.  You may want
to try getting a eval of something from ISS - it is only good for 30-days
but it would allow you to beat up your setup to tweak rules a bit more.

Lastly, I am not sure about the tiny firewall - I know that ipchains on
Linux can cause a few problems (i.e. pre-routing rules)

-T


> Let me try again,    :-)
>
> I'm new to this list as of last week so this question may be redundant.
> At the risk of starting an OS/NOS religious war I have been playing
> with the WIN32 port of snort since September. I started with just the
> simple command line version and have slowly added more of the wiz bang
> enhancements as I went.  I am presently running 3 sensors. One is just
> the basic command line version alerting through IDSCenter on my
> broadband connection at home. The others are the win32 MYSQL compile on
> windows 2000 on my laptop and a test server at work. I have installed
> and configured ACID on  IIS 5.0 and the win32 release of Apache. I am
> using textPad, IDSCenter and IDS Policy Manager (ActiveWorx) as
> configuration tools. Through the months of testing I have kept the
> original alert.ids file current with all the data gathered by the
> sensors. Obviously this is not the ideal place to keep this info. Which
> leads me to my questions.
> 				1.	Is there a tool or command line to
> parse this info into my MYSQL database (I'm not a SQL guru but have
> dabbled and am not afraid of SQL scripts :-) )?
> 				2.	This one is more general but once I
> have all this info into the db I can at least look at it with ACID and
> start to see trends. What are the "Best Practices" for tuning my rules
> based on my data to reduce false positives and then modify alerting to
> include email and/or pager support?
> 				3.	I am using NmapNT and Netcat for NT
> to scan and probe my sensors to produce alerts. Any other neat tools I
> should be using to tune the rules?
> 				4.	My home network and laptop have a
> software firewall installed on them (Tiny Personal Firewall). Will this
> affect the sensors installed on these PCs? If I understand the WinPcap
> docs this driver lies beneath the IP stack and should see the packets
> before the firewall does, correct?
>
> Thanks in advance for any help.
>
> Brian D. Bartlett







More information about the Snort-users mailing list