|
-
November 3rd, 2002, 05:52 PM
#1
Very good points Slarty.
Ostefan, if you will look at the rules directory (there should have been a tarball that when you untar it, it will create a directory (rules under your installation directory), and in that directory are various classifications of attacks/informative type things. This is where you look to turn rules on/off (for example, you might not care that you are getting ICMP unreachables, (i think, not 100% sure on this, I don't use snort very often), there will be something to the effect of an icmp.conf (grep -i icmp rules/* that will tell you for sure), if you don't want a signature there, comment out the line (i think a '#' works, not 100% sure on that either). If you aren't interested in an entire series of rules (for example, maybe the web ones since you aren't running a web server), just move the entire .conf file to the preceding directory).
Anytime you make changes to the configuration file, you will need to restart snort. My suggestion would be to look at the log file, in the log file you will see (usually) a reference to a CVE article, follow the link and read about it (if you don't understand what it is talking about, do a google search, usually more than enough information out there, securityfocus.com is a good place to look, so is cert.org). Based on what the article tells you, decide whether you think it is important or not (or decide if all of the reports you are seeing are false positives), and if so, turn the check off. A false positive would be something that triggers the signature to report that something bad has happened when it really hasn't (yes, there are plenty of poorly written signatures that would cause this to happen). Eventually after much work, you will get a configuration that only reports the very serious problems and doesn't bug you about the things that you should worry about (like the icmp unreachable).
Also, don't forget to periodically check back at snort.org for updated signatures (minimum of every couple of weeks), otherwise you will be missing the attacks that you are most likely to see.
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote