Snort mailing list archives
RE: Best Practices
From: "Vintinner, M. Scott" <scottv () rbh com>
Date: Tue, 11 Mar 2003 14:02:14 -0500
Snort isn't really a scanner, which is what you've described. A scanner looks at hosts you specify, figures out if there are any vulnerabilities, then lets you know so you can patch them. With a scanner, you could remove scanner tests once the systems have been patched. Snort's job on the other hand, is to detect when people are actually attacking your systems. Snort isn't going to tell you if a computer is susceptible to attack or if the attack was successful, only that someone actually tried to attack it. To answer your question: most people would say that they want to know when/if an attack is taking place (even if they know it won't affect them). However, it really depends on what your personal goals are for the system. You might setup one copy of snort externally on your network to detect all attacks (all rules), then setup a copy of snort internally on your network to detect attacks that make it past your firewall. In the case of the internal version, you might disable rules that don't apply to your system (for example if you aren't running any web servers you could disable the web server rules). Hope this helps, Scott -----Original Message----- From: rellington () assesstech com [mailto:rellington () assesstech com] Sent: Tuesday, March 11, 2003 12:31 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Best Practices Hello, I'm a new Snort user and have a newbie type question. Do most people comment out rules once they've received alerts and verified that the machines in question have been patched? Thanks, Ray ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Best Practices Ray Ellington (Mar 11)
- <Possible follow-ups>
- RE: Best Practices L. Christopher Luther (Mar 11)
- RE: Best Practices Vintinner, M. Scott (Mar 11)