Snort mailing list archives
RE: Rules optimization
From: "Vuppala, Vijaybhasker (EM, GECIS)" <Vijaybhasker.Vuppala () geind ge com>
Date: Fri, 20 Jun 2003 02:44:33 -0400
Few questions 1. I have multiple subnets in the segment where i'm monitoring the data. is it possible to add multiple segments in HOME_NET 2. if i add my subnets to HOME_NET, will it be able to capture both attaks coming into my network as well as attaks being generated from my Network. I'm basically monitoring company's internal network and interested in both. Regards, Vijay -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Wednesday, June 18, 2003 10:50 PM To: Vuppala, Vijaybhasker (EM, GECIS) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Rules optimization On Wed, 18 Jun 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:
I have used Snort ver 1.8.7 on Redhat Linux 7.3 with Default Rules
provided [...snip...] You need to upgrade. Versions <=1.9.1 have a nasty remotely exploitable hole in them. As for rule tuning, it sounds like you don't have the HOME_NET and EXTERNAL_NET variables set correctly. HOME_NET should be set to the network you want to "watch", and EXTERNAL_NET should be everything else. So if your network was 10.10.10.0/24: var HOME_NET 10.10.10.0/24 var EXTERNAL_NET !$HOME_NET With those settings it should reduce the number of false postives you get. As for tuning, you simply have to get Snort setup and working, and then examine each and every alert. You have then decide if the packets are 'normal' or not. You'll discover things that you need to setup pass rules for, add BPF filters or add a rule for. Something like Ntop [0] is very helpful in this respect to get a nice 'overview' of your networks traffic. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.ntop.org/ ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules optimization Vuppala, Vijaybhasker (EM, GECIS) (Jun 18)
- Re: Rules optimization Erek Adams (Jun 18)
- AW: Rules optimization Sean Wheeler (Jun 19)
- <Possible follow-ups>
- Re: Rules optimization Matt Kettler (Jun 18)
- RE: Rules optimization Vuppala, Vijaybhasker (EM, GECIS) (Jun 20)
- RE: Rules optimization Erek Adams (Jun 20)
- Re: Rules optimization Erek Adams (Jun 18)