IDS mailing list archives
Re: Snort as IDS
From: Jon Uriona <jurionamendi () yahoo es>
Date: Mon, 14 Jan 2008 11:32:36 +0100
Hi Sanjay First, thanx for your reply,
Hi Jon: The first thing that i observed about Snort is - The administrator should be very good at tuning it according to h(is|er) understanding of network. The snort rules are prone to false alarms. So you have to bang your head ;)
I'm trying to learn about this network (new to me) while I tune the IDS...
I need to know if I need to apply web detection rules (attacks, cgi, client, misc, php...) and preprocesor (http_inspect) to devices acting as web proxies. I am getting thousand of alerts due to those rules from my proxy clients and their external requests which I believe all of them are false. Am I right?I am bit confused as Snort is network level IDS and therefore, why doyou need to configure it specific to each client?
It's a network IDS in the sense that it "sees" all the network traffic, but what it needs to detect is the signatures of the "attacks" it has in it's rule database. In the case of this network, the biggest amount of traffic I have to "look" at is the traffic entering to the proxies...
Also, any proxy embeds HTTP request/response in another http packets and forward it to the client/server. So, if the attack is against a client, proxy server is safe as it may not be processing the packet (of course, if additional checks are not configured in it).
Here is the clue... So I guess I have to know if my proxy processes in any manner these requests...
Anyway I think that the objetive of the attacks in snort rulebase in the web-* rules is never the proxy, is the final website.
I've done some searches in my web-* rulebase about "Squid" vulnerabilities and I have only found one... This vuln is already patched in the Squid servers, so I think my proxy servers will get out of the http-server group.
Thanx, Jon ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Snort as IDS Jon Uriona (Jan 11)
- Re: Snort as IDS Sanjay R (Jan 16)
- Re: Snort as IDS Jon Uriona (Jan 16)
- Re: Snort as IDS Sanjay R (Jan 16)