Snort mailing list archives

RE: Best Practices

From: "Vintinner, M. Scott" <scottv () rbh com>
Date: Tue, 11 Mar 2003 14:02:14 -0500

Snort isn't really a scanner, which is what you've described.  A scanner
looks at hosts you specify, figures out if there are any vulnerabilities,
then lets you know so you can patch them.  With a scanner, you could remove
scanner tests once the systems have been patched. 

Snort's job on the other hand, is to detect when people are actually
attacking your systems.  Snort isn't going to tell you if a computer is
susceptible to attack or if the attack was successful, only that someone
actually tried to attack it.

To answer your question:  most people would say that they want to know
when/if an attack is taking place (even if they know it won't affect them).
However, it really depends on what your personal goals are for the system.
You might setup one copy of snort externally on your network to detect all
attacks (all rules), then setup a copy of snort internally on your network
to detect attacks that make it past your firewall.  In the case of the
internal version, you might disable rules that don't apply to your system
(for example if you aren't running any web servers you could disable the web
server rules).

Hope this helps,

Scott



-----Original Message-----
From: rellington () assesstech com [mailto:rellington () assesstech com] 
Sent: Tuesday, March 11, 2003 12:31 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Best Practices


Hello,

I'm a new Snort user and have a newbie type question.
Do most people comment out rules once they've received alerts and verified
that the machines in question have been patched?

Thanks,
Ray




-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Best Practices Ray Ellington (Mar 11)
- <Possible follow-ups>
- RE: Best Practices L. Christopher Luther (Mar 11)
- RE: Best Practices Vintinner, M. Scott (Mar 11)