[Snort-users] Getting more paranoid by the minute. :-/

Jim Hendrick jrhendri at ...9784...
Sun Apr 25 05:57:05 EDT 2004

OK. from what I gather from the other posts:

You are relatively new to security.
You are expected to secure everything.
It was supposed to be done yesterday.

That's not great. It looks complicated to you because *it is*...

The client seems to understand about (at least the need for):
snort, tripwire, nessus, firewalls.

That's pretty good.
You should be able to get some support from whoever is there that has that
basic knowledge.
The client needs to understand that this is *not* a one person job. (What
if/when you leave? They need to have things documented and understand who
would be the secondary person.)

The process of securing this should be viewed in layers, with snort as a
warning system *not* a defense system.

You are on the right track.
If I can offer a couple of suggestions to help you prioritize things:

I know it sounds like this is the wrong time, but before you know what to
implement, you need to understand what is expected to be allowed and how
exceptions are to be handled. Once it is up and running, this will become
more and more important (when you get an
email/phone-call/stopped-in-the-hall and asked to open up the firewall or
run another service).
This also needs to address incident response. No matter how well you do your
job, something will happen (an internal virus, a new vulnerability exploit,
a denial of service attack). You should think about how you will be expected
to respond. Will you have the resources (inside and outside the company) to
support you? Do you know (by name) a contact at your ISP in case you need
their help? Do you have other technical resources you can call on (vendors,
etc.) in an emergency?

That said, take a look at these ramblings and see if they help.

Perimeter hardening (network firewall) should only allow services required
and deny all else.
Sounds basic, but it is surprising how many businesses get this wrong. Make
sure the ruleset for the service-network (sometimes called DMZ) is very
That is, if you need to allow http(s) to a server, make sure it is only
allowed to *that* server.
Same for DNS, email, etc.
You should also be interested in outbound services (would your HTTP server
*ever* be normally expected to start an outbound ftp, tftp, ssh connection?
If not, deny it.
Same for all other servers.

Monitoring: This is where snort comes in (along with tripwire, checking
logs, etc.)
The objective is to:
1 - know what is normal
2 - alert on what is not
3 - minimize the line-noise so you won't go crazy.
This takes some time. You may not know exactly what services are required to
run the business. Take some time to learn it (even now when they are in the
last stages of development/testing).
While we're at it, make sure you understand what are development/testing
activities and when they can be shut down (when you go live)

Server configuration:
Minimalist. Don't install more than you need. Better to install less and
have to add a package than to install more and have an unnecessary
vulnerability on the system.

Server monitoring:
Tripwire is your friend, but can be a maintenance chore. Start using it as
soon as you do the install, and see what are *normal* changes after reboots,
patch installs, log rotation, etc. etc.
Again the objective here is:
1 - know what is normal
2 - alert on what is not
3 - minimize the line-noise so you won't go crazy.

Patching - make sure you have a strategy for maintaining all (not just
production) servers up to date. This does not mean "always apply every patch
when it comes out". Again here, you need to understand what services you are
running and stay on top of *those* patches (e.g. you wouldn't need to apply
an ftpd patch on a server where it wasn't running)

A last quick bit of advice. Take a look at this list and make sure you
understand the risk associated with each one. It isn't a silver-bullet, but
it is a great place to start and gets the highest risks under control


There are also a lot of resources (step-by-step guides are great) at the
SANS store.
I don't mean to endorse them *exclusively*. There are certainly a lot of
other resources out there (SANS does not hold a corner on the market, they
are just one of the better groups).

Good luck.

Jim Hendrick

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Shaun T.
> Erickson
> Sent: Saturday, April 24, 2004 9:36 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Getting more paranoid by the minute. :-/
> As I mentioned in an earlier post, I've been hired to set up several
> snort servers for a client. It's important that I do it
> right, or their
> customer's sensitive data will be compromised.
> The more I read Syngress Snort 2.0 book (I'm in chapter 5),
> the more I
> understand that there are an endless number of attacks out there. I'm
> concerned that my lack of knowledge will let an attacker at
> the data. I
> can't let that happen.
> How can I possibly learn enough, quickly enough, to write all
> the rules
> to protect my client, when I don't even know all the attacks and
> exploits that are out there?
> I understand that snort comes with a standard set of rules,
> that I can
> update off the net, to stay current. Is this standard set of
> rules going
> to be enough to protect my client, initially, as I continue
> to learn snort?
> I'm trying to absorb as much as I can, as fast as I can, but
> they need
> this installed NOW, and I'm just concerned that my ignorance,
> as I come
> up to speed, not cost them everything.
> Advice? Suggestions? Valium? Please.
> 	-ste
> -------------------------------------------------------
> This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
> For a limited time only, get FREE Ground shipping on all orders of $35
> or more. Hurry up and shop folks, this offer expires April 30th!
> http://www.thinkgeek.com/freeshipping/?cpg=12297
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list