Snort mailing list archives
Re: Which rules for specific open ports?
From: Erek Adams <erek () snort org>
Date: Sun, 6 Jul 2003 02:12:20 -0400 (EDT)
On Sat, 5 Jul 2003 briankd () sonic net wrote:
I'm setting up an Apache/PHP web server behind my DSL router, and setting the router to only forward ports 80 and 22 to the server. I'm concerned about potential intrusions, but I feel like I've covered a lot of the potential exposures by using the port-forwarding scenario.
Some. Be cautious and don't let that fool you into a false sense of security.
I followed the recipe at http://www.internetsecurityguru.com/documents/snort_acid_rh9.pdf to set Snort/PHP/Acid up on this web server. Is there a way I can determine which rules & preprocessors are the only ones necessary to protect against intrusion on those two ports?
stream4, converstation, http_decode for sure. Rules? Well, any that deal with web applications (rules/web*) or that have port 22 in them. A simple: egrep -i " 22 |ssh" rules/*.rules Should snag most of them. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Which rules for specific open ports? briankd (Jul 05)
- Re: Which rules for specific open ports? Erek Adams (Jul 06)