If you have a Class B address space, as many of us early .edu sites do,
one gets tired very early on of the thousands of firewall log deny
entries per day and the tons of IDS alerts found outside the firewall.
For a site with a limited number of public IP addrs, I can agree that a
probe outside the firewall might well be instructive.
Bruce
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Lee
Clemens
Sent: Tuesday, November 15, 2005 7:54 PM
To: 'Timothy A. Holmes'; 'snort'
Subject: RE: [Snort-users] Where do I go from here
I agree, although it is a great learning experience to keep a sensor
outside of your firewall. I learned a great deal due to the increased
frequency of attacks. When my router is set up properly there aren't any
unsolicited incoming packets (that I've seen), so it can be a bit
boring.
For now, I'd have to recommend keeping it outside, so that you can get a
feel for the setup. More data coming into BASE will help you move about,
and then you will have a better idea of what to expect if you move the
sensor inside the firewall and wonder, Is this thing on? -- as you'll
hopefully get far fewer alerts.
Ideally you would have at least two taps, one right in front of your
firewall and one directly behind. Then you could compare the data from
the two and identify what is getting through and work on figuring out
the why.
My two cents
Lee
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Briggs,
Bruce
Sent: Tuesday, November 15, 2005 4:01 PM
To: Timothy A. Holmes; snort
Subject: RE: [Snort-users] Where do I go from here
So you are monitoring what is outside you door in a crime-ridden
neighborhood (the Internet).
This does not tell you what is coming through your door (your firewall).
Personally, I care what makes it into my network. I don't care all that
much about what does not make it into my network.
So for me, I want an IDS inside my network. For me, an IPS is a better
candidate to be outside your firewall than an IDS.
Bruce
________________________________
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Timothy A.
Holmes
Sent: Tuesday, November 15, 2005 2:16 PM
To: snort
Subject: [Snort-users] Where do I go from here
Hi Folks:
After some fits and starts, I believe that I have a functional IDS Box
watching the front door now, and I took out the back door (Wireless ap)
and repaired the hole in the wall with bricks and mortar
So, I guess the next question is what is the next step?
To summarize, I have a SNORT box up and sniffing on the inbound line
between the Cable Modem and the Firewall. The management port is inside
the firewall and has an IP on it while the sniffing port is outside the
firewall and does not have one.
I am logging to a mysql database, and running base for reporting.
As of the last check, I have received about 4500 alerts today, here is
the breakdown from base on them
Displaying alerts 1-7 of 7 total
<
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_a
Signature >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_d
<
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class
_a>
Classification >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class
_d>
<
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur
_a>
Total # >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur
_d>
Sensor #
<
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr
_a>
Source Address >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr
_d>
<
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr
_a>
Dest. Address >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr
_d>
<
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first
_a>
First >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first
_d>
<
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_
a>
Last >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_
d>
[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=3> ] (portscan) TCP
Portsweep
unclassified
55
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=1&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%)
1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=1&
sig_type=1>
1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=1>
31
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=1>
2005-11-15 03:06:05
2005-11-15 13:12:23
[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
Port
unclassified
3679
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=2&sig_type=1&submit=Query+DB&num_result_rows=-1> (33%)
1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=2&
sig_type=1>
1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=2>
302
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=2>
2005-11-15 03:06:08
2005-11-15 13:12:28
[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=4> ] (http_inspect)
BARE BYTE UNICODE ENCODING
unclassified
444
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=3&sig_type=1&submit=Query+DB&num_result_rows=-1> (4%)
1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=3&
sig_type=1>
2
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=3>
1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=3>
2005-11-15 00:37:16
2005-11-15 14:12:38
[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=2> ] (http_inspect)
DOUBLE DECODING ATTACK
unclassified
21
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=4&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%)
1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=4&
sig_type=1>
1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=4>
9
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=4>
2005-11-15 07:16:16
2005-11-15 12:38:53
[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=15> ] (http_inspect)
OVERSIZE REQUEST-URI DIRECTORY
unclassified
6
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=6&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%)
1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=6&
sig_type=1>
1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=6>
3
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=6>
2005-11-15 10:43:42
2005-11-15 11:46:43
[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1> ] (portscan) TCP
Portscan
unclassified
3
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=9&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%)
1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=9&
sig_type=1>
1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=9>
3
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=9>
2005-11-15 10:36:26
2005-11-15 10:36:42
[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=16> ] (http_inspect)
OVERSIZE CHUNK ENCODING
unclassified
3
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D
=13&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%)
1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=13
&sig_type=1>
1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=13>
1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B
0%5D=%3D&sig%5B1%5D=13>
2005-11-15 11:45:36
2005-11-15 11:46:40
I guess I need to know what to do next and how to begin utilizing this
data to better protect my network
Anyone who can help, or point me to the proper resources would be
greatly appreciated
TIM
Timothy A. Holmes
IT Manager / Network Admin / Web Master / Computer Teacher
Medina Christian Academy
A Higher Standard...
Jeremiah 33:3
Jeremiah 29:11
Esther 4:14
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam for All
Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id�845&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
