[Snort-users] Re: Confused about rules and logs

Richard Bejtlich richard_bejtlich at ...131...
Mon May 10 07:42:09 EDT 2004

b311b-snort wrote:

I have three other Windows PC's on my small network
this is the only one that's giving me trouble.


Hello again,

What is your threat model?  Are you running Snort on
an internal LAN without Internet exposure, or are
these systems exposed to the Internet?  

I regard Snort and its default rules as generally
externally threat-minded.  For internal threats, a
different mindset and approach is needed.  Internal
threats are less likely to run port scans and launch
exploits.  They are more likely to abuse their
privileges and access sensitive information.  

Internal threats are best countered by strict auditing
and granular host- and resource-based access control,
not network-based IDS.



Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  

More information about the Snort-users mailing list