On 12 Feb 2002 [EMAIL PROTECTED] wrote:
> > > Hello again. Now that I have snort running, what is > the best configuration? I notice a major slowdown on > our 100 Mbps LAN. What is the best ruleset or config > for IDS? All it seems to log are 'destination > unreachable' and 'portscan' from the external nic, > nothing else. > > thanks > > dp > > Well... I am not sure anyone can tell you what the best ruleset is. This is something that is individually tailored for your network. What I do is this: I take the latest set of signatures and I cut it down by verifying every alert. I keep tools on my snort machines for this very purpose. I usually loadout ngrep, sniffit, dsniff, and iptraf. The most used utility is ngrep. I will see a alert, and then go into my snort machine, and ngrep for that particular signature. Once found, I determine if that is legitimate network traffic. This could be something obvious, or it could require making phone calls. In the end, my ruleset slims out, and its much easier for me to see the important stuff. I can tell one piece of advice though: stay away from policy signatures if you are a very large shop. If you have a few thousand users, you and your snort sensor will be overwhelmed. Maybe other people here have different methods for tuning, but that is my method, it hasn't failed me yet, and kicks the tar out of our current Cisco Secure IDS implementation. Hope that helps, Digital Ebola [EMAIL PROTECTED] http://wintermute.legions.org/~digi/ "Network penetration is network engineering, in reverse."
