[Snort-users] Getting more paranoid by the minute. :-/

Romulo M. Cholewa rmc at ...8111...
Sat Apr 24 19:51:03 EDT 2004


As Paul mentioned, paranoia is a good thing ;D

But keep in mind that snort won't "protect" your customer. It will help
in that effort. It's a tool, like many others, that, if properly set up,
will do a small amount of things that when put together with other
tools, will help you build up a secure environment.

I would like to suggest that you look at the security as a process, not
as a bunch of tools. Maybe I didn't interpret correctly your phrase, but
the idea behind the... 

"It's important that I do it right, or their customer's sensitive data
will be compromised"

... seems like you are relying on snort for the task. I won't go further
this way, but I would like to recommend Schneier's book, Digital
Security in a Networked World.

If you were hired to employ *only* snort sensors, you can't think that
only the sensors will keep the potential risk out of the network. It
will only warn you, if properly configured, when someone attempts to
brake in. Concerning to deploying an IDS, keep in mind that reducing the
number of false alerts is a nice goal to pursue.

Also, try to work as close as possible to the guys doing the system
hardening and implementation. They can tell you what are their goals, so
you can screen the snort setup better.

Romulo M. cholewa
Home: http://www.rmc.eti.br
News: http://www.rmc.eti.br/news
PGP key id 0x7F8A3B40





] -----Original Message-----
] From: snort-users-admin at lists.sourceforge.net 
] [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
] Shaun T. Erickson
] Sent: Saturday, April 24, 2004 10:36 PM
] To: snort-users at lists.sourceforge.net
] Subject: [Snort-users] Getting more paranoid by the minute. :-/
] 
] 
] As I mentioned in an earlier post, I've been hired to set up several 
] snort servers for a client. It's important that I do it 
] right, or their 
] customer's sensitive data will be compromised.
] 
] The more I read Syngress Snort 2.0 book (I'm in chapter 5), 
] the more I 
] understand that there are an endless number of attacks out there. I'm 
] concerned that my lack of knowledge will let an attacker at 
] the data. I 
] can't let that happen.
] 
] How can I possibly learn enough, quickly enough, to write all 
] the rules 
] to protect my client, when I don't even know all the attacks and 
] exploits that are out there?
] 
] I understand that snort comes with a standard set of rules, 
] that I can 
] update off the net, to stay current. Is this standard set of 
] rules going 
] to be enough to protect my client, initially, as I continue 
] to learn snort?
] 
] I'm trying to absorb as much as I can, as fast as I can, but 
] they need 
] this installed NOW, and I'm just concerned that my ignorance, 
] as I come 
] up to speed, not cost them everything.
] 
] Advice? Suggestions? Valium? Please.
] 
] 	-ste
] 
] 
] -------------------------------------------------------
] This SF.net email is sponsored by: The Robotic Monkeys at 
] ThinkGeek For a limited time only, get FREE Ground shipping 
] on all orders of $35 or more. Hurry up and shop folks, this 
] offer expires April 30th! 
] http://www.thinkgeek.com/freeshipping/?cpg=12297
] _______________________________________________
] Snort-users mailing list
] Snort-users at lists.sourceforge.net
] Go to this URL to change user options or unsubscribe: 
] https://lists.sourceforge.net/lists/listinfo/snort-users
] Snort-users list archive: 
] http://www.geocrawler.com/redir-sf.php3?list=snort-users
] 




More information about the Snort-users mailing list