[Snort-users] Configuration questions-snort multiple instances

Stanford Prescott stan.prescott at ...11827...
Tue May 2 13:07:41 EDT 2017


That all makes sense. Thanks!

On Tue, May 2, 2017 at 11:11 AM, <wkitty42 at ...14940...> wrote:

> On 05/02/2017 10:27 AM, Stanford Prescott wrote:
> > Is it necessary to define the DNS_SERVERS for the LAN interfaces?
>
> yes if any rules are used that need the DNS_SERVERS variable defined... a
> quick
>
> grep -E -e "DNS_SERVERS" /var/smoothwall/snort/*rules*/*.rules | wc -l
>
> of my sensor's installation shows 29 rules using that variable... of
> those, 21
> are disabled...
>
> FWIW: i would keep the DNS_SERVERS defined to the internal LAN IP for that
> interface specifically to be able to catch internal machines attempting
> these
> lookups that are indicators of malfeasance...
>
>
> this grep will show you the enabled rules that have DNS_SERVERS defined in
> them... some are research scanners (in my local.rules), some are conficker
> detections, some are DoS packet related, some are looking for DNS cache
> poisoning...
>
> grep -E -e "^[^#].*DNS_SERVERS" /var/smoothwall/snort/*rules*/*.rules
>
> > 2. Each snort instance has its own rule sets. One of these is the Talos
> > reputation IP blacklists. Should the internal LAN instances of snort also
> > have access to the public IP addresses provided by the Talos IP
> blacklists
> > since the internal LANs really only use private IP addresses?
>
> the internals LANs may use only RFC1918 address but they make requests to
> WAN
> IPs as well... yes, blacklists and whitelists are a GoodThing<tm> to
> consider on
> the LAN interfaces... especially to prevent from and determine which
> internal
> systems are attempting to contact those blacklisted IPs... especially if
> those
> internal systems are trying to exfiltrate personal or corporate
> information...
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         *Please keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



More information about the Snort-users mailing list