IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort as IDS

From: Jon Uriona <jurionamendi () yahoo es>
Date: Mon, 14 Jan 2008 11:32:36 +0100
Hi Sanjay

First, thanx for your reply,


Hi Jon:
The first thing that i observed about Snort is - The administrator
should be very good at tuning it according to h(is|er) understanding
of network. The snort rules are prone to false alarms. So you have to
bang your head ;)


I'm trying to learn about this network (new to me) while I tune the IDS...



I need to know if I need to apply web detection rules
(attacks, cgi, client, misc, php...) and preprocesor (http_inspect) to
devices acting as web proxies. I am getting thousand of alerts due to
those rules from my proxy clients and their external requests which I
believe all of them are false. Am I right?

I am bit confused as Snort is network level IDS and therefore, why do
you need to configure it specific to each client?
It's a network IDS in the sense that it "sees" all the network traffic, but what it needs to detect is the signatures of the "attacks" it has in it's rule database. In the case of this network, the biggest amount of traffic I have to "look" at is the traffic entering to the proxies... 


Also, any proxy
embeds HTTP request/response in another http packets and forward it to
the client/server. So, if the attack is against a client, proxy server
is safe as it may not be processing the packet (of course, if
additional checks are not configured in it).
Here is the clue... So I guess I have to know if my proxy processes in any manner these requests...
Anyway I think that the objetive of the attacks in snort rulebase in the web-* rules is never the proxy, is the final website.
I've done some searches in my web-* rulebase about "Squid" vulnerabilities and I have only found one... This vuln is already patched in the Squid servers, so I think my proxy servers will get out of the http-server group. 

Thanx,

Jon


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. 
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: