Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Snort as IDS

from [Jon Uriona] Network Security [Permanent Link]
Subject: Re: Snort as IDS
Date: Mon, 14 Jan 2008 11:32:36 +0100 
Hi Sanjay

First, thanx for your reply,

Hi Jon:
The first thing that i observed about Snort is - The administrator
should be very good at tuning it according to h(is|er) understanding
of network. The snort rules are prone to false alarms. So you have to
bang your head ;)


I'm trying to learn about this network (new to me) while I tune the IDS...


I need to know if I need to apply web detection rules
(attacks, cgi, client, misc, php...) and preprocesor (http_inspect) to
devices acting as web proxies. I am getting thousand of alerts due to
those rules from my proxy clients and their external requests which I
believe all of them are false. Am I right?
I am bit confused as Snort is network level IDS and therefore, why do
you need to configure it specific to each client?

It's a network IDS in the sense that it "sees" all the network traffic, but what it needs to detect is the signatures of the "attacks" it has in it's rule database. In the case of this network, the biggest amount of traffic I have to "look" at is the traffic entering to the proxies...

Also, any proxy
embeds HTTP request/response in another http packets and forward it to
the client/server. So, if the attack is against a client, proxy server
is safe as it may not be processing the packet (of course, if
additional checks are not configured in it).

Here is the clue... So I guess I have to know if my proxy processes in any manner these requests...

Anyway I think that the objetive of the attacks in snort rulebase in the web-* rules is never the proxy, is the final website.

I've done some searches in my web-* rulebase about "Squid" vulnerabilities and I have only found one... This vuln is already patched in the Squid servers, so I think my proxy servers will get out of the http-server group.

Thanx,

Jon


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: VM of IPS/IDS solution, dsmk77
Next by Date:  Re: Snort as IDS, Sanjay R
Previous by Thread:  Re: Snort as IDS, Sanjay R
Next by Thread:  Invitation to apply to NSS Labs' Advisory Groups for IDS/IPS and PCI Product Security Standards, Blask, Chris
Indexes:  [Date] [Thread] [Top] [All Lists]