Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Mar 2001 16:10:31 -0600
From:      Scott Johnson <sjohn@airlinksys.com>
To:        freebsd-security@freebsd.org
Subject:   Re: New to Snort.
Message-ID:  <20010308161031.A23872@ns2.airlinksys.com>
In-Reply-To: <20010308134208.D88665@mollari.cthul.hu>; from kris@obsecurity.org on Thu, Mar 08, 2001 at 01:42:08PM -0800
References:  <Pine.BSF.4.05.10103081233130.27988-100000@black.purplecat.net> <20010308134208.D88665@mollari.cthul.hu>
next in thread | previous in thread | raw e-mail | index | archive | help 
Quoth Kris Kennaway on Thu, Mar 08, 2001 at 01:42:08PM -0800:
> On Thu, Mar 08, 2001 at 12:35:47PM -0500, Peter Brezny wrote:
> > am i in big trouble?
> 
> No: snort is a tool for identifying packets which match certain rules.
> Which ruleset you use determines what types of packets it will match,
> and these can be arbitrary, even unrelated to security.  Like all
> tools, snort is only useful if you understand what it's telling you
> and what it means.
> 
> The rulesets which snort ships with tend to generate a large number of
> false positives, especially on busy networks.  You either need to tune
> them by hand, or use a more restrictive ruleset (I use and recommend
> the ArachNIDS ruleset from www.whitehats.com/ids

I down the latest vision.conf from whitehats every night using a
script called update-vision.sh. Find it at:

	http://www.whitehats.com/ids/index.html

The script grabs the latest signature file, then removes entries already
in your current libraries. In addition, I have modified the script to use
my own custom ruletypes, so I can have stuff I deem important handled
differently from stuff I don't consider important. Basically I filter the
rules through sed to translate the standard built-in ruletype (alert) to
one of my own, and selectively change some IDS #'s to other ruletypes
depending on how I want it logged. Some I just comment out, because
they're just noise. This is important, since I use syslog to pass me the
alerts in real time. Nothing sucks more than a flood of alerts from scans.
On the other had, a message on my terminal for something important I like
a lot.

-- 
                                 Scott Johnson
                          System/Network Administrator
                                Airlink Systems

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010308161031.A23872>