AW: [Snort-users] Rules optimization

Sean Wheeler s.wheeler at ...2876...
Thu Jun 19 01:34:26 EDT 2003


Using
	var HOME_NET 10.10.10.0/24
	var EXTERNAL_NET !$HOME_NET

as indicated, would not monitor attacks conducted from one HOME_NET machine
to another HOME_NET machine given the general EXTERNAL_NET -> HOME_NET
rules.
So if a box in the HOME_NET range was compromised the attacker would
generally be free to scan the HOME_NET going undetected.


Using
	var HOME_NET 10.10.10.0/24
	var EXTERNAL_NET any

as indicated would solve the issue, if the above scenario is applicable to
what you want your IDS to do.
(no doubt false positives may creep in....arg !! compromise compromise)


Then again having a deployment watching
	var HOME_NET 10.10.10.0/24
	var EXTERNAL_NET !$HOME_NET

and another watching

	var HOME_NET 10.10.10.0/24
	var EXTERNAL_NET $HOME_NET

would be just peachy ;)

regards
Sean



-----Ursprungliche Nachricht-----
Von: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]Im Auftrag von Erek
Adams
Gesendet: Mittwoch, 18. Juni 2003 19:20
An: Vuppala, Vijaybhasker (EM, GECIS)
Cc: snort-users at lists.sourceforge.net
Betreff: Re: [Snort-users] Rules optimization


On Wed, 18 Jun 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:

> I have used Snort ver 1.8.7 on Redhat Linux 7.3 with Default Rules
provided

[...snip...]

You need to upgrade.  Versions <=1.9.1 have a nasty remotely exploitable
hole in them.

As for rule tuning, it sounds like you don't have the HOME_NET and
EXTERNAL_NET variables set correctly.  HOME_NET should be set to the
network you want to "watch", and EXTERNAL_NET should be everything else.
So if your network was 10.10.10.0/24:

	var HOME_NET 10.10.10.0/24
	var EXTERNAL_NET !$HOME_NET

With those settings it should reduce the number of false postives you get.

As for tuning, you simply have to get Snort setup and working, and then
examine each and every alert.  You have then decide if the packets are
'normal' or not.  You'll discover things that you need to setup pass rules
for, add BPF filters or add a rule for.  Something like Ntop [0] is very
helpful in this respect to get a nice 'overview' of your networks traffic.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.ntop.org/


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list