[Discussion] a few ideas

Frank Knobbe frank at knobbe.us
Thu Mar 5 00:47:31 UTC 2009


On Tue, 2009-03-03 at 22:24 +0000, Kevin Ross wrote:
> Hey I have a few more ideas:
> 
> 1) rather than have the engine with all the signatures required for
> the environment for the everything it is watching why not be able to
> have directed rulesets? I.e say only process these rules for these
> networks or machines but don't do it for these. 

Uhm... and the reason you can't do that with a current Snort config is
what exactly? I have several sensors where HOME_NET is redefined and the
appropriate rule sets loaded again, multiple times. Works pretty good
for me.

(I know, most folks define HOME_NET and EXTERNAL_NET *once* in their
snort.conf, and are missing out on some decent snort.conf tuning)


> 2) suggestive rule tuning. i.e the sensor does not see any netbios
> traffic within a learning period, it can then say "no netbios traffic
> has been seen, do you wish to disable this ruleset" or something
> similiar like do you have windows machines?.

And what if NetBIOS attacks are being performed *after* the tuning
period is over and the IDS blinded itself?

That's my biggest beef with "self-tuning" or "learning periods". I'd
rather describe the network to Snort myself instead of letting software
make that decisions and get it wrong.


Cheers,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090304/9d089343/attachment.sig>


More information about the Discussion mailing list