Hi Jon: The first thing that i observed about Snort is - The administrator should be very good at tuning it according to h(is|er) understanding of network. The snort rules are prone to false alarms. So you have to bang your head ;) other comments are.. On Jan 11, 2008 4:03 PM, Jon Uriona <[EMAIL PROTECTED]> wrote: > Hi all, > > I need to know if I need to apply web detection rules > (attacks, cgi, client, misc, php...) and preprocesor (http_inspect) to > devices acting as web proxies. I am getting thousand of alerts due to > those rules from my proxy clients and their external requests which I > believe all of them are false. Am I right? I am bit confused as Snort is network level IDS and therefore, why do you need to configure it specific to each client? Also, any proxy embeds HTTP request/response in another http packets and forward it to the client/server. So, if the attack is against a client, proxy server is safe as it may not be processing the packet (of course, if additional checks are not configured in it). > > And for web servers different than apache and IIS, do I have to apply > http_inspect with any profile? Yes, if you are monitoring your web server, you should apply those rules. > > I am trying to set up my http_inspect preprocessor. > If I have a Squid proxy listening on ports 80 and 8080, do I need to > configure a preprocessor http_inspect_server for it? And should I use > apache profile? > > If I am using any other web server (neither IIS nor Apache), do I need > to configure a preprocessor http_inspect_server for it? If so, which > profile? > > And same question about application servers, like AOL for example. Do I > need to configure http_inspect_server for it? Which profile?
answer to all last few queries is : if the traffic involves HTTP, enable a generic profile. Do some monitoring for sometime and accordingly tune your rules. > > Thanx in advance, > > Jon > > Sanjay -- Computer Security Learner ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
