[Snort-users] Configuration questions-snort multiple instances

wkitty42 at ...14940... wkitty42 at ...14940...
Tue May 2 12:11:01 EDT 2017

On 05/02/2017 10:27 AM, Stanford Prescott wrote:
> Is it necessary to define the DNS_SERVERS for the LAN interfaces?

yes if any rules are used that need the DNS_SERVERS variable defined... a quick

grep -E -e "DNS_SERVERS" /var/smoothwall/snort/*rules*/*.rules | wc -l

of my sensor's installation shows 29 rules using that variable... of those, 21 
are disabled...

FWIW: i would keep the DNS_SERVERS defined to the internal LAN IP for that 
interface specifically to be able to catch internal machines attempting these 
lookups that are indicators of malfeasance...

this grep will show you the enabled rules that have DNS_SERVERS defined in 
them... some are research scanners (in my local.rules), some are conficker 
detections, some are DoS packet related, some are looking for DNS cache poisoning...

grep -E -e "^[^#].*DNS_SERVERS" /var/smoothwall/snort/*rules*/*.rules

> 2. Each snort instance has its own rule sets. One of these is the Talos
> reputation IP blacklists. Should the internal LAN instances of snort also
> have access to the public IP addresses provided by the Talos IP blacklists
> since the internal LANs really only use private IP addresses?

the internals LANs may use only RFC1918 address but they make requests to WAN 
IPs as well... yes, blacklists and whitelists are a GoodThing<tm> to consider on 
the LAN interfaces... especially to prevent from and determine which internal 
systems are attempting to contact those blacklisted IPs... especially if those 
internal systems are trying to exfiltrate personal or corporate information...

  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list