Date: Thu, 8 Mar 2001 13:42:08 -0800 From: Kris Kennaway <kris@obsecurity.org> To: Peter Brezny <peter@black.purplecat.net> Cc: freebsd-security@freebsd.org Subject: Re: New to Snort. Message-ID: <20010308134208.D88665@mollari.cthul.hu> In-Reply-To: <Pine.BSF.4.05.10103081233130.27988-100000@black.purplecat.net>; from peter@black.purplecat.net on Thu, Mar 08, 2001 at 12:35:47PM -0500 References: <Pine.BSF.4.05.10103081233130.27988-100000@black.purplecat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--11Y7aswkeuHtSBEs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Mar 08, 2001 at 12:35:47PM -0500, Peter Brezny wrote: > am i in big trouble? No: snort is a tool for identifying packets which match certain rules. Which ruleset you use determines what types of packets it will match, and these can be arbitrary, even unrelated to security. Like all tools, snort is only useful if you understand what it's telling you and what it means. The rulesets which snort ships with tend to generate a large number of false positives, especially on busy networks. You either need to tune them by hand, or use a more restrictive ruleset (I use and recommend the ArachNIDS ruleset from www.whitehats.com/ids -- but the same conditions apply as described above, for example on my DSL line at home I get an nmap ping (usually spoofed) about every 3 seconds from someone. If I was a cluebie I'd probably be in a blind panic about someone trying to hack my box, but instead I know it's just someone who desperately wants to get a response out of my IP address for port scanning purposes, perhaps because they don't know how to use nmap properly. Since I have a properly configured firewall, I have nothing to worry about from this rule, and in fact I've removed it to keep my log file size sane.) As noted by the other respondant, snort questions should go to the snort-users list. Kris --11Y7aswkeuHtSBEs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6p/ywWry0BWjoQKURAvAbAJ9fSnhw3P4em6yBP94Cwft62hwVpgCgzgMz Nr7uDe8gURwHGmudhCFHZq0= =S1zn -----END PGP SIGNATURE----- --11Y7aswkeuHtSBEs-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010308134208.D88665>