Honeypots mailing list archives
Re: GenII Honeynet practical use of Snort/Snort_Inline/Swatch
From: Lance Spitzner <lance () honeynet org>
Date: Fri, 27 Jun 2003 22:28:43 -0500 (CDT)
On Fri, 27 Jun 2003, Brent J. Nordquist wrote:
- The GenII paper says "If you are running drop-rules.tgz ruleset, you test by simply by first enabling the default test rule," -- I am using the distributed drop-rules,tgz, but I couldn't find that ruleset. Can someone point me to it? (I added my own that was basically a wildcard, and confirmed that it triggered Snort_Inline.)
I did a bad job of placing the test rules set (it was part of the README in the drop.rules directory). To make it much easier to find, the toolkit now has a test.rules ruleset included with the Toolkit. Should be very easy to find. I also REMOVED the pre-converted rules within the Toolkit as they were out of date. This forces you to download the latest from the Snort website and convert them to drop using the convert.sh script. Its too tempting for people to use the included, but severly outdated, drop rule set thats included with the Toolkit. Temptation now removed :)
- The paper doesn't appear to say anything about how to set up rules that achieve this. I did a telnet in both directions, but neither one was logged. Again, I added a simple "wildcard" rule and was able to get Snort to trigger and log the session. So it looks like the standard Snort rules (which appear to be set up to catch "bad" activity) aren't what you want for capturing *all* activity. What Snort rules do people use?
Use the Project's standard snort.conf file for data capture, you can find it online at http://www.honeynet.org/papers/honeynet/tools/snort.conf I did a poor job of pointing that out in the GenII paper, now fixed :)
- Is this what people use in practice, or do you only alert on TCP or UDP (ignoring ICMP), or do you have other custom Swatch patterns to ignore false positives (IDENT, NTP, etc.)?
If its going outbound, ALERT! Don't focus on the protocol, but the direction that is initiated. The Honeynet Project is developing GUI interfaces to monitor, alert, and analyze activity in real time. Thanks! lance
Current thread:
- GenII Honeynet practical use of Snort/Snort_Inline/Swatch Brent J. Nordquist (Jun 27)
- Re: GenII Honeynet practical use of Snort/Snort_Inline/Swatch ravenlord (Jun 27)
- Re: GenII Honeynet practical use of Snort/Snort_Inline/Swatch Lance Spitzner (Jun 27)