Re: Snort as IDS

Hi Jon:
The first thing that i observed about Snort is - The administrator
should be very good at tuning it according to h(is|er) understanding
of network. The snort rules are prone to false alarms. So you have to
bang your head ;)
other comments are..
On Jan 11, 2008 4:03 PM, Jon Uriona <jurionamendi@xxxxxxxx> wrote:
Hi all,

I need to know if I need to apply web detection rules
(attacks, cgi, client, misc, php...) and preprocesor (http_inspect) to
devices acting as web proxies. I am getting thousand of alerts due to
those rules from my proxy clients and their external requests which I
believe all of them are false. Am I right?
I am bit confused as Snort is network level IDS and therefore, why do
you need to configure it specific to each client? Also, any proxy
embeds HTTP request/response in another http packets and forward it to
the client/server. So, if the attack is against a client, proxy server
is safe as it may not be processing the packet (of course, if
additional checks are not configured in it).

And for web servers different than apache and IIS, do I have to apply
http_inspect with any profile?
Yes, if you are monitoring your web server, you should apply those rules.

I am trying to set up my http_inspect preprocessor.
If I have a Squid proxy listening on ports 80 and 8080, do I need to
configure a preprocessor http_inspect_server for it? And should I use
apache profile?

If I am using any other web server (neither IIS nor Apache), do I need
to configure a preprocessor http_inspect_server for it? If so, which
profile?

And same question about application servers, like AOL for example. Do I
need to configure http_inspect_server for it? Which profile?

answer to all last few queries is : if the traffic involves HTTP,
enable a generic profile. Do some monitoring for sometime and
accordingly tune your rules.

Thanx in advance,

Jon




Sanjay
--
Computer Security Learner

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • RE: Lost my outlook contact... :(
    ... the network configuration is started from a web page located ... client computer, you will see a welcome page to invite you to start the ... local user profiles to the domain user profile. ... Before joining client computers to the network, ...
    (microsoft.public.windows.server.sbs)
  • Re: Help with configuration
    ... option cleared on the RDP-tcp connection Client properties tab for "Use ... If I do NOT specify a roaming profile path, do I still need to enable ... Users should logon to the workstation using their domain account ... Your GPO settings do not apply to your Terminal Server. ...
    (microsoft.public.windows.terminal_services)
  • Re: session object II
    ... web server does not hold a static connection with a client. ... Create a web service on the web server that will accept and return ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: 2 notebooks 1 server. sbs domain or workgroup. fax forwarding. outlook sync.
    ... When you join a client compute to SBS domain, we can migrate the local user ... profile to domain user profile. ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 notebooks 1 server. sbs domain or workgroup. fax forwarding. outlook sync.
    ... computer account on SBS for the client: ... we do no need to create share folder for user profile on SBS. ...
    (microsoft.public.windows.server.sbs)