Saturday, December 23, 2006

The Snort Top 10???

This is a good article about Snort from SANS ISC Handler's Diary. Joel Esler, security analyst from SANS posting a list of the top 10 mistakes and misconfigured when configuring IDS. There are 10 lists mistakes:
1. The Snort.conf file
2. Variables
3. Frag3 preprocessor
4. HTTP inspection preprocessor
5. Portscan preprocessor
6. The rest of the preprocessor to include the new "dynamic" preprocessors.
7. Rules
8. Output
9. Barnyard
10. Rule updates
The most important are variables and the rules. In variables, HOME_NET should always be configured. Common settings for HOME_NET should be your whole internal network. By default, EXTERNAL_NET is set to "any". "Any" also includes your HOME_NET. To make sure your Snort capture traffic that is NOT in your HOME_NET as EXTERNAL, you can set your "EXTERNAL_NET" to "!$HOME_NET".
The rules is very important in Snort. Turn OFF any rules category that have no application services running in your network. You can combine more than one rulesets in your Snort. If you want to combine two or three rulesets together, sure you can do it. For example, you can combine BleedingThreat ruleset with Snort VRT ruleset. However, you need to go through each rule file, and turn on/off what you are not interested in or what does not apply to your network. Snort rules is very important in order to minimize false positive alerts.

No comments: