From owner-freebsd-security  Thu Mar  8 14:10:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6])
	by hub.freebsd.org (Postfix) with ESMTP id 1D01B37B719
	for <freebsd-security@freebsd.org>; Thu,  8 Mar 2001 14:10:34 -0800 (PST)
	(envelope-from sjohn@airlinksys.com)
Received: from ns2.airlinksys.com (ns2.airlinksys.com [216.70.12.3])
	by mailhub.airlinksys.com (Postfix) with ESMTP id DB4CE53501
	for <freebsd-security@freebsd.org>; Thu,  8 Mar 2001 16:10:32 -0600 (CST)
Received: by ns2.airlinksys.com (Postfix, from userid 1000)
	id F08BE5D94; Thu,  8 Mar 2001 16:10:31 -0600 (CST)
Date: Thu, 8 Mar 2001 16:10:31 -0600
From: Scott Johnson <sjohn@airlinksys.com>
To: freebsd-security@freebsd.org
Subject: Re: New to Snort.
Message-ID: <20010308161031.A23872@ns2.airlinksys.com>
Reply-To: Scott Johnson <sjohn@airlinksys.com>
Mail-Followup-To: freebsd-security@freebsd.org
References: <Pine.BSF.4.05.10103081233130.27988-100000@black.purplecat.net> <20010308134208.D88665@mollari.cthul.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010308134208.D88665@mollari.cthul.hu>; from kris@obsecurity.org on Thu, Mar 08, 2001 at 01:42:08PM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Quoth Kris Kennaway on Thu, Mar 08, 2001 at 01:42:08PM -0800:
> On Thu, Mar 08, 2001 at 12:35:47PM -0500, Peter Brezny wrote:
> > am i in big trouble?
> 
> No: snort is a tool for identifying packets which match certain rules.
> Which ruleset you use determines what types of packets it will match,
> and these can be arbitrary, even unrelated to security.  Like all
> tools, snort is only useful if you understand what it's telling you
> and what it means.
> 
> The rulesets which snort ships with tend to generate a large number of
> false positives, especially on busy networks.  You either need to tune
> them by hand, or use a more restrictive ruleset (I use and recommend
> the ArachNIDS ruleset from www.whitehats.com/ids

I down the latest vision.conf from whitehats every night using a
script called update-vision.sh. Find it at:

	http://www.whitehats.com/ids/index.html

The script grabs the latest signature file, then removes entries already
in your current libraries. In addition, I have modified the script to use
my own custom ruletypes, so I can have stuff I deem important handled
differently from stuff I don't consider important. Basically I filter the
rules through sed to translate the standard built-in ruletype (alert) to
one of my own, and selectively change some IDS #'s to other ruletypes
depending on how I want it logged. Some I just comment out, because
they're just noise. This is important, since I use syslog to pass me the
alerts in real time. Nothing sucks more than a flood of alerts from scans.
On the other had, a message on my terminal for something important I like
a lot.

-- 
                                 Scott Johnson
                          System/Network Administrator
                                Airlink Systems

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message