[Snort-users] Getting more paranoid by the minute. :-/

Donofrio, Lewis donofrio at ...1052...
Mon Apr 26 10:20:03 EDT 2004


Romulo, Et al.

I might also add that a snort sensor preconfigured with firewall (NAT)
comes in a nice 20mb ISO called www.ipcop.com v1.4b3 is what I'm running
at work under my desk <-:

I have two subnets:
- one for my production network 
- one for VLAN9 

Its protecting both and seems too be a very robust sensor project for
snort to use.... 

--"Knowledge is power"
______________________________________________________________________ 
Lewis Donofrio at ...1052...      College of Literature, Science, & Arts 
1007 East Huron, Room 201,    BetaID:243340     Cell: (734) 323-8776
Ann Arbor,MI 48104-1690 www.umich.edu/~donofrio Fax: (734) 647-8333 
----------------------------------------------------------------------
()  ascii ribbon campaign - against html mail 
/\         [http://arc.pasp.de/]

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Romulo M.
Cholewa
Sent: Saturday, April 24, 2004 10:50 PM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Getting more paranoid by the minute. :-/

As Paul mentioned, paranoia is a good thing ;D

But keep in mind that snort won't "protect" your customer. It will help
in that effort. It's a tool, like many others, that, if properly set up,
will do a small amount of things that when put together with other
tools, will help you build up a secure environment.

I would like to suggest that you look at the security as a process, not
as a bunch of tools. Maybe I didn't interpret correctly your phrase, but
the idea behind the... 

"It's important that I do it right, or their customer's sensitive data
will be compromised"

... seems like you are relying on snort for the task. I won't go further
this way, but I would like to recommend Schneier's book, Digital
Security in a Networked World.

If you were hired to employ *only* snort sensors, you can't think that
only the sensors will keep the potential risk out of the network. It
will only warn you, if properly configured, when someone attempts to
brake in. Concerning to deploying an IDS, keep in mind that reducing the
number of false alerts is a nice goal to pursue.

Also, try to work as close as possible to the guys doing the system
hardening and implementation. They can tell you what are their goals, so
you can screen the snort setup better.

Romulo M. cholewa
Home: http://www.rmc.eti.br
News: http://www.rmc.eti.br/news
PGP key id 0x7F8A3B40





] -----Original Message-----
] From: snort-users-admin at lists.sourceforge.net
] [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of ] Shaun
T. Erickson ] Sent: Saturday, April 24, 2004 10:36 PM ] To:
snort-users at lists.sourceforge.net ] Subject: [Snort-users] Getting more
paranoid by the minute. :-/ ] ] ] As I mentioned in an earlier post,
I've been hired to set up several ] snort servers for a client. It's
important that I do it ] right, or their ] customer's sensitive data
will be compromised.
]
] The more I read Syngress Snort 2.0 book (I'm in chapter 5), ] the more
I ] understand that there are an endless number of attacks out there.
I'm ] concerned that my lack of knowledge will let an attacker at ] the
data. I ] can't let that happen.
]
] How can I possibly learn enough, quickly enough, to write all ] the
rules ] to protect my client, when I don't even know all the attacks and
] exploits that are out there?
]
] I understand that snort comes with a standard set of rules, ] that I
can ] update off the net, to stay current. Is this standard set of ]
rules going ] to be enough to protect my client, initially, as I
continue ] to learn snort?
]
] I'm trying to absorb as much as I can, as fast as I can, but ] they
need ] this installed NOW, and I'm just concerned that my ignorance, ]
as I come ] up to speed, not cost them everything.
]
] Advice? Suggestions? Valium? Please.
] 
] 	-ste
]
]
] -------------------------------------------------------
] This SF.net email is sponsored by: The Robotic Monkeys at ] ThinkGeek
For a limited time only, get FREE Ground shipping ] on all orders of $35
or more. Hurry up and shop folks, this ] offer expires April 30th! 
] http://www.thinkgeek.com/freeshipping/?cpg=12297
] _______________________________________________
] Snort-users mailing list
] Snort-users at lists.sourceforge.net
] Go to this URL to change user options or unsubscribe: 
] https://lists.sourceforge.net/lists/listinfo/snort-users
] Snort-users list archive: 
] http://www.geocrawler.com/redir-sf.php3?list=snort-users
] 


-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For
a limited time only, get FREE Ground shipping on all orders of $35 or
more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users






More information about the Snort-users mailing list