Date: Thu, 8 Mar 2001 16:10:31 -0600 From: Scott Johnson <sjohn@airlinksys.com> To: freebsd-security@freebsd.org Subject: Re: New to Snort. Message-ID: <20010308161031.A23872@ns2.airlinksys.com> In-Reply-To: <20010308134208.D88665@mollari.cthul.hu>; from kris@obsecurity.org on Thu, Mar 08, 2001 at 01:42:08PM -0800 References: <Pine.BSF.4.05.10103081233130.27988-100000@black.purplecat.net> <20010308134208.D88665@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoth Kris Kennaway on Thu, Mar 08, 2001 at 01:42:08PM -0800: > On Thu, Mar 08, 2001 at 12:35:47PM -0500, Peter Brezny wrote: > > am i in big trouble? > > No: snort is a tool for identifying packets which match certain rules. > Which ruleset you use determines what types of packets it will match, > and these can be arbitrary, even unrelated to security. Like all > tools, snort is only useful if you understand what it's telling you > and what it means. > > The rulesets which snort ships with tend to generate a large number of > false positives, especially on busy networks. You either need to tune > them by hand, or use a more restrictive ruleset (I use and recommend > the ArachNIDS ruleset from www.whitehats.com/ids I down the latest vision.conf from whitehats every night using a script called update-vision.sh. Find it at: http://www.whitehats.com/ids/index.html The script grabs the latest signature file, then removes entries already in your current libraries. In addition, I have modified the script to use my own custom ruletypes, so I can have stuff I deem important handled differently from stuff I don't consider important. Basically I filter the rules through sed to translate the standard built-in ruletype (alert) to one of my own, and selectively change some IDS #'s to other ruletypes depending on how I want it logged. Some I just comment out, because they're just noise. This is important, since I use syslog to pass me the alerts in real time. Nothing sucks more than a flood of alerts from scans. On the other had, a message on my terminal for something important I like a lot. -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010308161031.A23872>