[Snort-users] switch port settings?
mkettler at ...4108...
Tue Oct 1 11:02:53 EDT 2002
Sure, this is a very good idea, many snort setups do this. Ultimately
you'll have to weigh if you're interested in attacks within your lan, but
in many cases it makes sense to not trust your users. As far as the high
alert level it looks like you just need to change some of your settings.
In particular you might want to consider:
1) change EXTERNAL_NET to be !$HOME_NET or at least !$SERVERS instead of any.
2) carefully pick which IPs and what thresholds to use for portscan. In
general I try not to watch internal lan servers with this and I tend to
increase the thresholds for snort boxes monitoring inside a lan (as opposed
to those monitoring just the connection from a lan to the internet.
At 11:53 AM 10/1/2002 -0400, Matthew Harrell wrote:
>I recently changed the switch port that my Snort box is on so that it hears
>the traffic that hits all the ports on the switch. This seems like it is a
>good idea in order to have a true NIDS; however, since doing so, I'm
>FLOODED with tons of alert and portscan log entries. I'm in the process of
>playing with ACID to improve the usage of these logs, but is it a good idea
>to leave the switch port set this way?
More information about the Snort-users