On Thu, 2004-12-23 at 15:35 -0600, Brian Stamper wrote:
OK so I've originally wanted snort running inside my network to make sure
I'm not being attacked inside or scanned. Things of that nature. However
as I look for explanation on why I'm getting all of the false SMB Microsoft
type traffic I see that most people use the var EXTERNAL_NET !$HOME_NET. So
what I gather is that people are not monitoring their local networks
traffic? Am I barking up the wrong tree here with what I want or does it
just take some configuration to get around the false positives that I'm
seeing?
Not at all. Snort placement and configuration is not a black or white
thing. For example, we have installations in client networks that are
configured for both :) It depends where you monitor and what you want
to look for. We even have some sensors that have a duplicate "include
rule" sections. First we set EXTERNAL_NET to !HOME_NET, include most
rules, then set EXTERNAL_NET to any and include a specific subset of
rules.
You have to take a look at your setup and decide if you want to alert on
hostile intruders or on hostile insiders :) You will probably find
yourself running both, with different configurations and perhaps on
different sensors.
(Tip: Focus on intruders at your connectivity points -- Internet, WAN
links, dial-in, wireless, etc -- and focus on insiders within your
server segments and cores.)
Hope that helps,
Frank
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
