Hi Sanjay
First, thanx for your reply,
Hi Jon:
The first thing that i observed about Snort is - The administrator
should be very good at tuning it according to h(is|er) understanding
of network. The snort rules are prone to false alarms. So you have to
bang your head ;)
I'm trying to learn about this network (new to me) while I tune the IDS...
I need to know if I need to apply web detection rules
(attacks, cgi, client, misc, php...) and preprocesor (http_inspect) to
devices acting as web proxies. I am getting thousand of alerts due to
those rules from my proxy clients and their external requests which I
believe all of them are false. Am I right?
I am bit confused as Snort is network level IDS and therefore, why do
you need to configure it specific to each client?
It's a network IDS in the sense that it "sees" all the network traffic,
but what it needs to detect is the signatures of the "attacks" it has in
it's rule database. In the case of this network, the biggest amount of
traffic I have to "look" at is the traffic entering to the proxies...
Also, any proxy
embeds HTTP request/response in another http packets and forward it to
the client/server. So, if the attack is against a client, proxy server
is safe as it may not be processing the packet (of course, if
additional checks are not configured in it).
Here is the clue... So I guess I have to know if my proxy processes in
any manner these requests...
Anyway I think that the objetive of the attacks in snort rulebase in the
web-* rules is never the proxy, is the final website.
I've done some searches in my web-* rulebase about "Squid"
vulnerabilities and I have only found one... This vuln is already
patched in the Squid servers, so I think my proxy servers will get out
of the http-server group.
Thanx,
Jon
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
