Re: [newbie] configuration of Snort IDS
Get a copy of NMAP and start scanning devices on your network to see if the Snort box catches it. If not, you'll need to go over your config settings with a fine-tooth comb. You'll usually find that a type in the network address or something is easy to do. The DNS variable is for you to put in the address(es) of you DNS machine(s). Thie will cause Snort to ignore certain DNS rules that would otherwise cause false alarms. Snort rule updates can be found at snort.org in the downloads section. On Sunday 22 September 2002 10:21 pm, Vandenbore Sebastiaan wrote: On Friday 20 September 2002 20:25, you wrote: Ok, i've done that, and now the output is gone, I mean all output. Nothing is being logged by snort anymore, or nothing special has happend these last days. What about the DNS variabele ? What should be put there ? Where can I find updates of the snort rules ? I've combined Snort with Bastille Firewall, Hostsentry, Portsentry and Logcheck ( To get a mail notification every day ). Have you got any ideas to secure the machine even more ? Is it a good combination ? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] configuration of Snort IDS
I have snort running on my system, but it logs some stuff that I don't need. Can I set it up in any way that it doesn't log the connections from my computer to the proxies I'm using ( 213.224.83.x ) ? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] configuration of Snort IDS
On Fri, 20 Sep 2002, Vandenbore Sebastiaan wrote: I have snort running on my system, but it logs some stuff that I don't need. Can I set it up in any way that it doesn't log the connections from my computer to the proxies I'm using ( 213.224.83.x ) ? I'm a newcomer to Snort myself, so the following may be partially or totally incorrect, but you might like to try it: in the /etc/snort.conf file (check the location of that file!), there should be an item that looks like: $MY_NET=any This Snort variable tells Snort which networks are internal. So, for example, if you want to tell Snort that all of the 213.224.83.x network is an internal network, you put this in snort.conf: $MY_NET=213.224.83.0/24 You can also include other networks in your definition, e.g.: $MY_NET=[213.224.83.0/24,192.168.0.0/24] Now many of the Snort rules use the $EXTERNAL_NET and $MY_NET variables to determine whether there is a potential attack, so if Snort knows which networks are internal then it won't report traffic from those networks as an attack. You _might_ also need to change the $EXTERNAL_NET variable to _exclude_ the networks you have defined for $MY_NET, e.g.: $EXTERNAL_NET=![213.224.83.0/24,192.168.0.0/24] Like I said, this is all I can tell you with my limited experience. If anyone out there knows better, please let us both know! Regards Chris Slater-Walker Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] configuration of Snort IDS
Chris, Your advice is largely accurate, but an easier way to set the $EXTERNAL_NET variable would be to set it equal to !$MY_NET. Keeps the code a little neater. You definately want to set $EXTERNAL_Net to be equal to !$MY_NET to resuce false positives internally. On Friday 20 September 2002 06:01 am, Chris Slater-Walker wrote: On Fri, 20 Sep 2002, Vandenbore Sebastiaan wrote: I have snort running on my system, but it logs some stuff that I don't need. Can I set it up in any way that it doesn't log the connections from my computer to the proxies I'm using ( 213.224.83.x ) ? I'm a newcomer to Snort myself, so the following may be partially or totally incorrect, but you might like to try it: in the /etc/snort.conf file (check the location of that file!), there should be an item that looks like: $MY_NET=any This Snort variable tells Snort which networks are internal. So, for example, if you want to tell Snort that all of the 213.224.83.x network is an internal network, you put this in snort.conf: $MY_NET=213.224.83.0/24 You can also include other networks in your definition, e.g.: $MY_NET=[213.224.83.0/24,192.168.0.0/24] Now many of the Snort rules use the $EXTERNAL_NET and $MY_NET variables to determine whether there is a potential attack, so if Snort knows which networks are internal then it won't report traffic from those networks as an attack. You _might_ also need to change the $EXTERNAL_NET variable to _exclude_ the networks you have defined for $MY_NET, e.g.: $EXTERNAL_NET=![213.224.83.0/24,192.168.0.0/24] Like I said, this is all I can tell you with my limited experience. If anyone out there knows better, please let us both know! Regards Chris Slater-Walker Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
