|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jon Uriona (jurionamendi
yahoo.es)
Date: Mon Jan 14 2008 - 04:32:36 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Sanjay
First, thanx for your reply,
> Hi Jon:
> The first thing that i observed about Snort is - The administrator
> should be very good at tuning it according to h(is|er) understanding
> of network. The snort rules are prone to false alarms. So you have to
> bang your head ;)
I'm trying to learn about this network (new to me) while I tune the IDS...
>> I need to know if I need to apply web detection rules
>> (attacks, cgi, client, misc, php...) and preprocesor (http_inspect) to
>> devices acting as web proxies. I am getting thousand of alerts due to
>> those rules from my proxy clients and their external requests which I
>> believe all of them are false. Am I right?
> I am bit confused as Snort is network level IDS and therefore, why do
> you need to configure it specific to each client?
It's a network IDS in the sense that it "sees" all the network traffic,
but what it needs to detect is the signatures of the "attacks" it has in
it's rule database. In the case of this network, the biggest amount of
traffic I have to "look" at is the traffic entering to the proxies...
> Also, any proxy
> embeds HTTP request/response in another http packets and forward it to
> the client/server. So, if the attack is against a client, proxy server
> is safe as it may not be processing the packet (of course, if
> additional checks are not configured in it).
Here is the clue... So I guess I have to know if my proxy processes in
any manner these requests...
Anyway I think that the objetive of the attacks in snort rulebase in the
web-* rules is never the proxy, is the final website.
I've done some searches in my web-* rulebase about "Squid"
vulnerabilities and I have only found one... This vuln is already
patched in the Squid servers, so I think my proxy servers will get out
of the http-server group.
Thanx,
Jon
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]