Snort mailing list archives

RE: Re: Noob

From: Frank Knobbe <frank () knobbe us>
Date: Thu, 23 Dec 2004 16:07:15 -0600

On Thu, 2004-12-23 at 15:35 -0600, Brian Stamper wrote:

OK so I've originally wanted snort running inside my network to make sure
I'm not being attacked inside or scanned.  Things of that nature.  However
as I look for explanation on why I'm getting all of the false SMB Microsoft
type traffic I see that most people use the var EXTERNAL_NET !$HOME_NET.  So
what I gather is that people are not monitoring their local networks
traffic?  Am I barking up the wrong tree here with what I want or does it
just take some configuration to get around the false positives that I'm
seeing?


Not at all. Snort placement and configuration is not a black or white
thing. For example, we have installations in client networks that are
configured for both :)  It depends where you monitor and what you want
to look for. We even have some sensors that have a duplicate "include
rule" sections. First we set EXTERNAL_NET to !HOME_NET, include most
rules, then set EXTERNAL_NET to any and include a specific subset of
rules.

You have to take a look at your setup and decide if you want to alert on
hostile intruders or on hostile insiders :)  You will probably find
yourself running both, with different configurations and perhaps on
different sensors.

(Tip: Focus on intruders at your connectivity points -- Internet, WAN
links, dial-in, wireless, etc -- and focus on insiders within your
server segments and cores.)

Hope that helps,
Frank




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Noob Brian Stamper (Dec 22)
- Re: Noob Tim Slighter (Dec 22)
- <Possible follow-ups>
- Re: Noob Brian Stamper (Dec 23)
  - RE: Re: Noob Bob Konigsberg (Dec 23)
  - Re: Re: Noob Brian Caswell (Dec 24)
- RE: Re: Noob Brian Stamper (Dec 23)
  - RE: Re: Noob Bob Konigsberg (Dec 23)
    - Re: Re: Noob J-H Johansen (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)
  - RE: Re: Noob Frank Knobbe (Dec 23)
- RE: Re: Noob Brian Stamper (Dec 23)