[Snort-users] Snort as an anomalous behavior IDS

Jason Haar Jason.Haar at ...294...
Fri Apr 2 07:09:47 EDT 2010


On 04/01/2010 11:32 AM, Willst Mail wrote:
> Is it as simple having a
> ruleset with the good rules, and a final rule that matches (any any ->
> any any)?
>   
We use snort to monitor DMZes that way. Unlike real networks, DMZes are
meant to contain hosts that have specific roles, and don't have users
logged in running Skype/etc. i.e their traffic flows are predictable. In
particular, they shouldn't initiate outbound connections beyond the
expected AV updates, Windows/YUM updates/etc.

Then we created pass rules that  allow such things, and trigger alerts
on the rest. On our network, DMZ alerts are really quiet for ages - and
then some SysAdmin will forget where they are and go and read their
Gmail or something - and we get an alert - soon followed by a "sorry!
it's me!" - that proves it's working :-)

However, FTP is your enemy - no easy way to write "pass" rules for FTP.
I've got HTTP "pass" rules to allow connections to hosts containing
"uricontent:/repos/", or whitelist particular User-Agents - but you
can't say "allow curl to ftp files"

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list