Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Snort Network Suppression

from [Ureleet] Network Security [Permanent Link]
Subject: Re: Snort Network Suppression
Date: Mon, 17 Dec 2007 12:22:22 -0500 
latest stable is 2.8.0.1.  look it up.  www.snort.org

you should compile snort anyway imnsho.  why rely on a package that
someone put together.  just compile snort and go with it.

On Dec 15, 2007 5:52 AM, Matteo Ignaccolo <matteo.ignaccolo@gmail.com> wrote:

Jonathan Askew JBASKEW wrote:


I am new to IDS and have just set up snort on a ubuntu host.


Which snort version?
On debian and debian based distros, as ubuntu, yuo will find only old
versions of snort.
For example, this summer on official ubuntu mirror was available
Snort 2.3.3, when the latest STABLE release was the 2.7
IMHO the best way to use snort on ubuntu is compile latest stable
release.


It has worked
well except for the fact that I am getting some false positivies
from local
traffic on the network.


Have you set the proper rules set for your network?


I want to set a rule in order to suppress/ignore local network
traffic for 192.168.1.0/24.
I know this can be done in the /etc/threshold.conf file but have
not been
able to do so successfully.


The correct solution is the tip in Boogie B. answer.
If I remember well, during installation you set your internal network
IP address and subnet, but the external net is sets to "any" as default
Remember that is not a good choice suppress all traffic from internal
host, because you'll be not able to detect anomaly activity that
starts from internal host.

--
Matteo Ignaccolo




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Snort Network Suppression, Jonathan Askew JBASKEW
Next by Date:  Re: Snort Network Suppression, Jamie Riden
Previous by Thread:  Re: Snort Network Suppression, Matteo Ignaccolo
Indexes:  [Date] [Thread] [Top] [All Lists]