RE: about snort.conf and setting some vars

["Eric Hines" <eric.hines () appliedwatch com>]

Marcelo,

All IDS deployments should go through constant tuning to help reduce the
amount of false positives "noise" that doesn't affect you. If you do not
have any SQL servers, telnet services, etc comment out the following
rulesets in your snort.conf:


snort.conf:include $RULE_PATH/sql.rules
snort.conf:include $RULE_PATH/mysql.rules
snort.conf:include $RULE_PATH/telnet.rules
snort.conf:include $RULE_PATH/snmp.rules

However, do you have such control over your environment/users that you know
for sure no one will ever start a telnet server or SQL server on your
network without you knowing? If you disable these rules, Snort won't alert
to any of this type of traffic if someone decides to do so.


Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, Inc.

------------------------------------------------------------------------

1134 N. Main St.                     Tel: (877) 262-7593 x327
Algonquin, IL                        Fax: (877) 262-7593
60102                                Mobile: (847) 456-6785
http://www.appliedwatch.com          Email: eric.hines () appliedwatch com
"Enterprise Snort Management"
------------------------------------------------------------------------

-----Original Message-----
From: Marcelo Zúñiga Torres [mailto:tanelorn44 () yahoo es] 
Sent: Friday, December 10, 2004 12:14 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] about snort.conf and setting some vars

Hi everybody, my question is how can I set some variables  if I don't have
an SQL, telnet or SNMP
server.   I don't want snort checking on servers that
doesn't have those service availables...


var SQL_SERVERS $HOME_NET
# List of telnet servers on your network var TELNET_SERVERS $HOME_NET # List
of snmp servers on your network var SNMP_SERVERS $HOME_NET

is there a "none" option?  If I comment those lines, snort can't work.
Is it worth it to stop Snort checking on those services?

Marcelo Zuniga Torres
Departamento de Electronica
UTFSM, CHILE


                
______________________________________________
Renovamos el Correo Yahoo!: ¡250 MB GRATIS! 
Nuevos servicios, más seguridad
http://correo.yahoo.es


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users