Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS

From: Justin Pederson via Snort-users <snort-users () lists snort org>
Date: Mon, 10 Jul 2017 10:58:27 -0500
Thank you Jason,

I am running this on the internal network so just using it as an IDS for
now.  I set some rules up which fired fine, but nothing else.  I thought
after setting this up I would be loaded with False Positives the first
couple of days rather then hardly any alerts.  I grabbed 2 pcaps from
packet total and ran them under the snort -r .pcap switch.  I got allot of
Warning: No preprocessors configured for policy 0.  I have not looked into
that error yet or not, but I am not sure if everything is configured right
yet.

On Mon, Jul 10, 2017 at 10:52 AM, Jason Hellenthal <jhellenthal () dataix net>
wrote:


Normally thats just to set it up and maintain the software and rules to go
along with it to start. IDS in self to snort(1) uses libpcap to build its
interrogation techniques while still sending the traffic to its destination
which seems to be quite confusing to some folks after they find the traffic
still arriving at the dst host.

IPS mode… inline mode inspects the traffic live and drops or passes them
on you’re determination of rules that should drop or alert. By default you
get a lot of ALERT only rules and not sure why they are not dropping…
because you have not set them to drop. SID mgmt becomes a big part of this
operation.

So hopefully as you can see each side has a drawback of the way you manage
the entire structure that you built but when done with all that in mind
along with the reporting infrastructure you get a highly tuned IDS/IPS
solution that fits almost any size network.

If you have not dealt with snort before in both of the above mentioned
roles then you might want to lean on using the legacy mode that users
libpcap depending on the projects requirements. Most often IDS legacy mode
with blocking enabled is adequate enough for most small to 2/3 size medium
businesses and will result in less time of maintainer-ship.

Tho that is just my opinion and only a portion of what can actually be
done with snort and other related IDS/IPS solutions. Maybe a more well
rounded question of “this is what I am trying to achieve vs. this is what I
don’t like right now with what I have; may be more helpful to answer."


Hope some of this helps.



On Jul 10, 2017, at 10:15, Justin Pederson via Snort-users <

snort-users () lists snort org> wrote:


What is the best way to set snort up?  Either have it just look at the

live packets as they come in or to form a pcap then to look into the pcap?

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: