[Snort-users] Configuration questions-snort multiple instances
stan.prescott at ...11827...
Tue May 2 13:07:41 EDT 2017
That all makes sense. Thanks!
On Tue, May 2, 2017 at 11:11 AM, <wkitty42 at ...14940...> wrote:
> On 05/02/2017 10:27 AM, Stanford Prescott wrote:
> > Is it necessary to define the DNS_SERVERS for the LAN interfaces?
> yes if any rules are used that need the DNS_SERVERS variable defined... a
> grep -E -e "DNS_SERVERS" /var/smoothwall/snort/*rules*/*.rules | wc -l
> of my sensor's installation shows 29 rules using that variable... of
> those, 21
> are disabled...
> FWIW: i would keep the DNS_SERVERS defined to the internal LAN IP for that
> interface specifically to be able to catch internal machines attempting
> lookups that are indicators of malfeasance...
> this grep will show you the enabled rules that have DNS_SERVERS defined in
> them... some are research scanners (in my local.rules), some are conficker
> detections, some are DoS packet related, some are looking for DNS cache
> grep -E -e "^[^#].*DNS_SERVERS" /var/smoothwall/snort/*rules*/*.rules
> > 2. Each snort instance has its own rule sets. One of these is the Talos
> > reputation IP blacklists. Should the internal LAN instances of snort also
> > have access to the public IP addresses provided by the Talos IP
> > since the internal LANs really only use private IP addresses?
> the internals LANs may use only RFC1918 address but they make requests to
> IPs as well... yes, blacklists and whitelists are a GoodThing<tm> to
> consider on
> the LAN interfaces... especially to prevent from and determine which
> systems are attempting to contact those blacklisted IPs... especially if
> internal systems are trying to exfiltrate personal or corporate
> NOTE: No off-list assistance is given without prior approval.
> *Please keep mailing list traffic on the list* unless
> private contact is specifically requested and granted.
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
More information about the Snort-users