Re: [Snort-users] Configuring Snort as a HIDS

--===============1980571808==
Content-Type: multipart/alternative;
boundary="----=_Part_17627_25466135.1196794045728"

------=_Part_17627_25466135.1196794045728
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Home_net -> server IP
External_net -> !$HOME_NET

What kind of services does the machine offer? You can probably eliminate
most of the .rules files and only include the ones necessary for your
specific server.

Same goes for preproccessors. No need for the telnet_ftp preproccessor if
you are installing snort directly on a web server that will never do any
telnet or ftp.

Just know that the types of alerts you will get from snort on a single
server, are entirely different than a true HIDS. Something like OSSEC by
Daniel Cid might be what you are really looking for. By industry standard=
,
HIPS are more concerned with file integrity and system log parsing on the
actual server (ie: apache, firewall, messages, etc). Snort, even when it i=
s
run on a single server, is more concerned with network based attacks.

Remember also that if the server you install snort on sees alot of traffic,
snort will be stealing alot of CPU and memory away from the service you are
offering.

Regards,

Seth






On Dec 4, 2007 1:21 PM, Kaplan, Andrew H. <AHKAPLAN@partners.org> wrote:

> Hi there =96
>
>
>
> I have installed the prepackaged snort application, version 2.7, on a
> server running Fedora Core 7. My plan is to run the application
>
> as a HIDS. Is there a recommended configuration that I should set up to
> accomplish this?
>
> The information transmitted in this electronic communication is intended =
only
> for the person or entity to whom it is addressed and may contain confiden=
tial
> and/or privileged material. Any review, retransmission, dissemination or =
other
> use of or taking of any action in reliance upon this information by perso=
ns or
> entities other than the intended recipient is prohibited. If you received=
this
> information in error, please contact the Compliance HelpLine at 800-856-1=
983 and
> properly dispose of this information.
>
>
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by: The Future of Linux Business White Paper
> from Novell. From the desktop to the data center, Linux is going
> mainstream. Let it simplify your IT future.
> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...=3Dsnort-users
>

------=_Part_17627_25466135.1196794045728
Content-Type: text/html; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Home_net -&gt; server IP<br>External_net -&gt; !$HOME_NET<br><br>What kind =
of services does the machine offer? You can probably eliminate most of the =
..rules files and only include the ones necessary for your specific server.&=
nbsp;&nbsp;=20
<br><br>Same goes for preproccessors.&nbsp; No need for the telnet_ftp prep=
roccessor if you are installing snort directly on a web server that will ne=
ver do any telnet or ftp.&nbsp; <br><br>Just know that the types of alerts =
you will get from snort on a single server, are entirely different than a t=
rue HIDS.&nbsp; Something like OSSEC by Daniel Cid might be what you are re=
ally looking for.&nbsp;&nbsp; By industry standard, HIPS are more concerned=
with file integrity and system log parsing on the actual server (ie: apach=
e, firewall, messages, etc).&nbsp; Snort, even when it is run on a single s=
erver, is more concerned with network based attacks.&nbsp;&nbsp;=20
<br><br>Remember also that if the server you install snort on sees alot of =
traffic, snort will be stealing alot of CPU and memory away from the servic=
e you are offering.&nbsp; <br><br>Regards, <br><br>Seth<br><br><br><br><br>=
<br>
<br><div class=3D"gmail_quote">On Dec 4, 2007 1:21 PM, Kaplan, Andrew H. &l=
t;<a href=3D"mailto:AHKAPLAN@partners.org">AHKAPLAN@par tners.org</a>&gt; wr=
ote:<br><blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid r=
gb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">









<div link=3D"blue" vlink=3D"purple" lang=3D"EN-US">

<div>

<p><font face=3D"Arial" size=3D"2"><span style=3D"font-size: 10pt; font-fam=
ily: Arial;">Hi there =96</span></font></p>

<p><font face=3D"Arial" size=3D"2"><span style=3D"font-size: 10pt; font-fam=
ily: Arial;">&nbsp;</span></font></p>

<p><font face=3D"Arial" size=3D"2"><span style=3D"font-size: 10pt; font-fam=
ily: Arial;">I have installed the prepackaged snort application, version
2.7, on a server running Fedora Core 7. My plan is to run the application</=
span></font></p>

<p><font face=3D"Arial" size=3D"2"><span style=3D"font-size: 10pt; font-fam=
ily: Arial;">as a HIDS. Is there a recommended configuration that I
should set up to accomplish this?</span></font></p>

</div>

<pre>The information transmitted in this electronic communication is intend=
ed only
for the person or entity to whom it is addressed and may contain confidenti=
al
and/or privileged material. Any review, retransmission, dissemination or ot=
her
use of or taking of any action in reliance upon this information by persons=
or
entities other than the intended recipient is prohibited. If you received t=
his
information in error, please contact the Compliance HelpLine at 800-856-198=
3 and
properly dispose of this information.


</pre></div>


<br>-----------------------------------------------------------------------=
--<br>SF.Net email is sponsored by: The Future of Linux Business White Pape=
r<br>from Novell. &nbsp;From the desktop to the data center, Linux is going
<br>mainstream. &nbsp;Let it simplify your IT future.<br><a href=3D"http://=
altfarm.mediaplex.com/ad/ck/8857-50307-18918-4" target=3D"_blank">http://al=
tfarm.mediaplex.com/ad/ck/8857-50307-18918-4</a><br>_______________________=
________________________
<br>Snort-users mailing list<br><a href=3D"mailto:Snort-users@lists.sourcef=
orge.net">Snort-users@lists.sourceforge.net</a><br>Go to this URL to change=
user options or unsubscribe:<br><a href=3D"https://lists.sourceforge.net/l=
ists/listinfo/snort-usersSnort-users" target=3D"_blank">
https://lists.sourceforge.net/lists/listinfo/snort-users<br>Snort-users</a>=
list archive:<br><a href=3D"http://www.geocrawler.com/redir-sf.php3?list=
=3Dsnort-users" target=3D"_blank">http://www.geocrawler.com/redir-sf.php3?l=
ist=3Dsnort-users
</a><br></blockquote></div><br>

------=_Part_17627_25466135.1196794045728--


--===============1980571808==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
--===============1980571808==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--===============1980571808==--