Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] Re: Noob

from [Brian Stamper] Network Security [Permanent Link]
Subject: RE: [Snort-users] Re: Noob
Date: Thu, 23 Dec 2004 16:18:32 -0600 
OK hang with me here.  I've done a great deal of reading and all.  This
isn't your average network reading.  So I'm still a little hazy on it all.
As for multiple sensors...I presume then you would need multiple network
cards for those sensors?  As for what I'm seeing...well I'm gonna do what I
do best and blame Microsoft. All I see is large amounts of NETBIOS traffic
on the network pertaining to the domain and well...windows doing what
windows does and it all seems to set off alerts.  I guess I don't know what
to think of that cause it just seems wrong to shut off the alerts/rules for
that but at the same time what else can I do?  Setting the EXTERNAL_NET to
!HOME_NET is basically shutting off what I want to accomplish by monitoring
my internal network.  I can see however where that would be handy for the
external sensor.  I guess I've just had a hard time finding and
understanding the documentation that I've read.  Thanks to all for your help
Brian

-----Original Message-----
From: Frank Knobbe [mailto:frank@knobbe.us] 
Sent: Thursday, December 23, 2004 4:07 PM
To: Brian Stamper
Cc: snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] Re: Noob

On Thu, 2004-12-23 at 15:35 -0600, Brian Stamper wrote:

OK so I've originally wanted snort running inside my network to make sure
I'm not being attacked inside or scanned.  Things of that nature.  However
as I look for explanation on why I'm getting all of the false SMB

Microsoft

type traffic I see that most people use the var EXTERNAL_NET !$HOME_NET.

So

what I gather is that people are not monitoring their local networks
traffic?  Am I barking up the wrong tree here with what I want or does it
just take some configuration to get around the false positives that I'm
seeing?


Not at all. Snort placement and configuration is not a black or white
thing. For example, we have installations in client networks that are
configured for both :)  It depends where you monitor and what you want
to look for. We even have some sensors that have a duplicate "include
rule" sections. First we set EXTERNAL_NET to !HOME_NET, include most
rules, then set EXTERNAL_NET to any and include a specific subset of
rules.

You have to take a look at your setup and decide if you want to alert on
hostile intruders or on hostile insiders :)  You will probably find
yourself running both, with different configurations and perhaps on
different sensors.

(Tip: Focus on intruders at your connectivity points -- Internet, WAN
links, dial-in, wireless, etc -- and focus on insiders within your
server segments and cores.)

Hope that helps,
Frank



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Snort-users] Re: Noob, Frank Knobbe
Next by Date:  Re: [Snort-users] Re: Noob, J-H Johansen
Previous by Thread:  RE: [Snort-users] Re: Noob, Frank Knobbe
Next by Thread:  [Snort-users] Alternate Alerting for Snort - phone, Michael Bowman
Indexes:  [Date] [Thread] [Top] [All Lists]