OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Graham, Randy (RAW) (RAWy12.doe.gov)
Date: Tue Jul 02 2002 - 11:37:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I don't know how others handle this, but I can tell you what I use where I
    work. My Snort central database and ACID console are on one machine which
    is only accessible via SSH. On that machine, I run Apache listening only on
    localhost (127.0.0.1). To view the ACID console, authorized users must 'ssh
    -X usernameacidhost' and run konqueror on the ACID host. This transports
    the entire web session over an encrypted SSH tunnel. Works great, no one
    can get to my ACID data unless they break in through SSH (which I've updated
    to avoid the latest OpenSSH vulnerabilty), and I don't have to do anything
    for my users beyond loading cygwin and creating an account on the machine
    hosting ACID.

    RagManX

    > -----Original Message-----
    > From: R. Anthony Kolstee [mailto:tkolsteemanyroads.com]
    > Sent: Monday, July 01, 2002 0:23 AM
    > To: snort-userslists.sourceforge.net
    > Subject: [Snort-users] Viewing detail logs causes secondary false
    > positive.
    >
    >
    > I run both SnortReport and ACID on my snort logs, and have experienced
    > an interesting phenomena with both. Pardon me if this is in TFM
    > somewhere...
    >
    > When viewing the detailed logs including payload data on an
    > alert, I've
    > found that the content revealed in the payload usually causes a
    > secondary alert to occur. Obviously the content of the payload being
    > viewed is going to contain the original string that caused the IDS to
    > alert in the first place, but has anyone found a reliable way around
    > this? My only thought at the moment is to use SSL on the web browser
    > when viewing these reports; does anyone else have a better way around
    > this that isn't immediately apparent to me? Note that I can't make the
    > console immune or invisible to alerts on port 80, because the box in
    > question is a collocated web server and as such is self-contained.
    >

    -------------------------------------------------------
    This sf.net email is sponsored by:ThinkGeek
    Welcome to geek heaven.
    http://thinkgeek.com/sf
    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users