[Snort-users] Which rules for specific open ports?

Erek Adams erek at ...950...
Sat Jul 5 23:13:22 EDT 2003


On Sat, 5 Jul 2003 briankd at ...2827... wrote:

> I'm setting up an Apache/PHP web server behind my DSL router, and setting
> the router to only forward ports 80 and 22 to the server.  I'm concerned
> about potential intrusions, but I feel like I've covered a lot of the
> potential exposures by using the port-forwarding scenario.

Some.  Be cautious and don't let that fool you into a false sense of
security.

> I followed the recipe at
> http://www.internetsecurityguru.com/documents/snort_acid_rh9.pdf to set
> Snort/PHP/Acid up on this web server.  Is there a way I can determine
> which rules & preprocessors are the only ones necessary to protect against
> intrusion on those two ports?

stream4, converstation, http_decode for sure.  Rules?  Well, any that deal
with web applications (rules/web*) or that have port 22 in them.  A
simple:

	egrep -i " 22 |ssh" rules/*.rules

Should snag most of them.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list