Snort mailing list archives
Thoughts on internal vs. external IDS rulesets
From: "Chris Eidem" <ceidem () Dexma com>
Date: Wed, 10 Apr 2002 10:43:58 -0500
Hey y'all, I'm in the process of reworking my rulesets for the sensors that I have on my network. What I would like to know from anyone who cares to answer is, "what is the difference between your internal and external sensors?" Basically, I'm running (pretty much, anyway) the standard rulesets that come with snort on the external sensor and a modified local.rules that takes out a lot of the false positives for any internal activity on my internal sensors. I'm not really running that many special rules and I have a feeling that perhaps I need to. By way of an example, I have a couple of rules looking for outbound tftp (CR and Nimda) and a couple of others for keeping track of users so that they don't run programs that cause problems for me (i.e. make my pager go off at 0300 because someone decided to run a PtP sharing proggie. They're walking funny now, thanks for asking...). What do y'all look for running around in your network? Virii? PtP programs? Outbound unauthorized connections? Anything I haven't mentioned? TIA, - chris Chris Eidem Dexma, Inc. Network Administrator 7701 York Av. S. Phone: 952.229.1311 Edina, MN 55435 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Thoughts on internal vs. external IDS rulesets Chris Eidem (Apr 10)
- Re: Thoughts on internal vs. external IDS rulesets Steve Ochani (Apr 10)
- <Possible follow-ups>
- RE: Thoughts on internal vs. external IDS rulesets Chris Eidem (Apr 10)
- RE: Thoughts on internal vs. external IDS rulesets Sheahan, Paul (PCLN-NW) (Apr 10)
- RE: Thoughts on internal vs. external IDS rulesets Alwin Raymundo (Apr 11)
- RE: Thoughts on internal vs. external IDS rulesets Sheahan, Paul (PCLN-NW) (Apr 11)