[Oisf-users] Question
Leonard Jacobs
ljacobs at netsecuris.com
Mon Apr 1 18:04:16 UTC 2013
Inline from ISP router to one port on appliance out another port directly to WAN connection of firewall.
When using AF-Packet, not using brctl bridging because that doubles the data going through interfaces. But when just using IDS mode, we use brctl bridging method.
We did notice during testing that we get a few more event. We tested with a vulnerability scanning PC on one port and the other port directly into internal network. There was one SCAN event that appeared in log during a Nmap scan. Would have thought we would have seen more.
Thanks.
Leonard _____
rom: Matt Jonkman [mailto:jonkman at jonkmans.com]
To: Leonard Jacobs [mailto:ljacobs at netsecuris.com]
Cc: oisf-users at openinfosecfoundation.org, Eric Leblond [mailto:eric.leblond at gmail.com]
Sent: Mon, 01 Apr 2013 12:31:44 -0600
Subject: Re: [Oisf-users] Question
Are you sure the box is seeing all traffic? Is it inline, or on a tap, etc?
Matt
On Sat, Mar 30, 2013 at 11:14 AM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
The only event I am getting is ET POLICY Unusual number of DNS No Such Name Responses.
From: mjonkman at emergingthreatspro.com [mailto:mjonkman at emergingthreatspro.com] On Behalf Of Matt Jonkman
Sent: Saturday, March 30, 2013 8:40 AM
To: Leonard Jacobs
Cc: oisf-users at openinfosecfoundation.org; Eric Leblond
Subject: Re: [Oisf-users] Question
Definitely should have. What rules are you running? Just the ET Open?
Have your vars set right?
Are you seeing other events?
Matt
On Fri, Mar 29, 2013 at 5:04 PM, Leonard Jacobs <ljacobs at netsecuris.com> wrote:
Why would Suricata events not be triggered when running a vulnerability scanner? I ran OpenVAS against a couple of public IP addresses on our network and not a single event was triggered. I would have thought that at least emerging-scan.rules would trigger.
Thanks.
Leonard Jacobs
President/CEO
Netsecuris Inc.
9301 Bryant Avenue S
Suite 104
Minneapolis, MN 55420
(952) 641-1421 ext. 20
http://www.netsecuris.com
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
--
----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
--
----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130401/c8f61987/attachment-0002.html>
More information about the Oisf-users
mailing list