RE: Re: Noob

[Brian Stamper <BStamper () spencerhospital org>]

OK hang with me here.  I've done a great deal of reading and all.  This
isn't your average network reading.  So I'm still a little hazy on it all.
As for multiple sensors...I presume then you would need multiple network
cards for those sensors?  As for what I'm seeing...well I'm gonna do what I
do best and blame Microsoft. All I see is large amounts of NETBIOS traffic
on the network pertaining to the domain and well...windows doing what
windows does and it all seems to set off alerts.  I guess I don't know what
to think of that cause it just seems wrong to shut off the alerts/rules for
that but at the same time what else can I do?  Setting the EXTERNAL_NET to
!HOME_NET is basically shutting off what I want to accomplish by monitoring
my internal network.  I can see however where that would be handy for the
external sensor.  I guess I've just had a hard time finding and
understanding the documentation that I've read.  Thanks to all for your help
Brian

-----Original Message-----
From: Frank Knobbe [mailto:frank () knobbe us] 
Sent: Thursday, December 23, 2004 4:07 PM
To: Brian Stamper
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Re: Noob

On Thu, 2004-12-23 at 15:35 -0600, Brian Stamper wrote:
> OK so I've originally wanted snort running inside my network to make sure
> I'm not being attacked inside or scanned.  Things of that nature.  However
> as I look for explanation on why I'm getting all of the false SMB
Microsoft
> type traffic I see that most people use the var EXTERNAL_NET !$HOME_NET.
So
> what I gather is that people are not monitoring their local networks
> traffic?  Am I barking up the wrong tree here with what I want or does it
> just take some configuration to get around the false positives that I'm
> seeing?

Not at all. Snort placement and configuration is not a black or white
thing. For example, we have installations in client networks that are
configured for both :)  It depends where you monitor and what you want
to look for. We even have some sensors that have a duplicate "include
rule" sections. First we set EXTERNAL_NET to !HOME_NET, include most
rules, then set EXTERNAL_NET to any and include a specific subset of
rules.

You have to take a look at your setup and decide if you want to alert on
hostile intruders or on hostile insiders :)  You will probably find
yourself running both, with different configurations and perhaps on
different sensors.

(Tip: Focus on intruders at your connectivity points -- Internet, WAN
links, dial-in, wireless, etc -- and focus on insiders within your
server segments and cores.)

Hope that helps,
Frank



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users