NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2004-04

Re: [Snort-users] Getting more paranoid by the minute. :-/

From: Alejandro Flores (alejandro.florestriforsec.com.br)
Date: Sun Apr 25 2004 - 08:09:32 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

> Somewhat unrelated question: Once I set this up, how much time should I
> expect to have to spend on it daily? They want me to do other stuff,
> like install tripwire and host-based firewalls on all the servers, run
> nessus against everythig and deal with the results, set up a new mail
> server, and a myriad of other normal SysAdmin tasks. I certainly hope
> that Snort doesn't require a lot of care and feeding every day ... but I
> don't know enough yet to be able to judge that.

        After install, you should properly configure snort to your network. I
mean, configure the Variables correctly (HOME_NET, HTTP_SERVERS...) so
you can get more accuracy from snort. As you said that they will run
webapps, configure very carefully the http_inspect preprocessor. This
will reduce the false positivies.
        Check this article on securityfocus about SQL Injection and XSS:
        http://www.securityfocus.com/infocus/1768
        I don't like to log the alerts directly from snort to database. I
prefer to log to the Unified output, and run barnyard to read this log
and send the alerts to the database. This way, you can schedule a job,
transfer the logs to a central, and correlate the data.
        After setup, the first days will be learning days. You'll discover how
the internet likes your network, and things like CodeRed and MS-SQL WORM
are still alive.

Have fun!
Alejandro Flores

--TriForSec
http://www.triforsec.com.br/

-------------------------------------------------------
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]