Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Snort as IDS

Re: Snort as IDS

From: Sanjay R <2sanjayr_at_gmail.com>
Date: Mon, 14 Jan 2008 08:40:18 +0530

Hi Jon:
The first thing that i observed about Snort is - The administrator
should be very good at tuning it according to h(is|er) understanding
of network. The snort rules are prone to false alarms. So you have to
bang your head ;)
other comments are..
On Jan 11, 2008 4:03 PM, Jon Uriona <jurionamendi_at_yahoo.es> wrote:
> Hi all,
>
> I need to know if I need to apply web detection rules
> (attacks, cgi, client, misc, php...) and preprocesor (http_inspect) to
> devices acting as web proxies. I am getting thousand of alerts due to
> those rules from my proxy clients and their external requests which I
> believe all of them are false. Am I right?
I am bit confused as Snort is network level IDS and therefore, why do
you need to configure it specific to each client? Also, any proxy
embeds HTTP request/response in another http packets and forward it to
the client/server. So, if the attack is against a client, proxy server
is safe as it may not be processing the packet (of course, if
additional checks are not configured in it).
>
> And for web servers different than apache and IIS, do I have to apply
> http_inspect with any profile?
Yes, if you are monitoring your web server, you should apply those rules.
>
> I am trying to set up my http_inspect preprocessor.
> If I have a Squid proxy listening on ports 80 and 8080, do I need to
> configure a preprocessor http_inspect_server for it? And should I use
> apache profile?
>
> If I am using any other web server (neither IIS nor Apache), do I need
> to configure a preprocessor http_inspect_server for it? If so, which
> profile?
>
> And same question about application servers, like AOL for example. Do I
> need to configure http_inspect_server for it? Which profile?

answer to all last few queries is : if the traffic involves HTTP,
enable a generic profile. Do some monitoring for sometime and
accordingly tune your rules.
>
> Thanx in advance,
>
> Jon
>
>

Sanjay 

-- 
Computer Security Learner
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Received on Jan 16 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]