LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Snort rules
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-09-2009, 10:46 AM   #1
timbCFCA
LQ Newbie
 
Registered: Oct 2009
Posts: 10

Rep: Reputation: 0
Snort rules

Sorry if this isn't the right forum, but it seems the closest to me. I did read the sticky

I have a Snort server which monitors two taps, collected via an aggregator.
Some rules are only firing for the external interface. This is problematic since they tend to be policy violations, and I don't have a way to determine the internal IP for the violator.

Any suggestions?

Thanks,
Tim
 
Old 10-12-2009, 12:42 PM   #2
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
You may be experiencing a placement issue, provided you've established your tap correctly.

Typically, what I do is run two snort instances, tapping both external and internal traffic (one snort process each). This will give me both the external-facing traffic and internal-facing traffic, which I can usually correlate. I do this at home, since I've maximum control, but your mileage may vary with a corporate set-up. Sensor placement in the enterprise can sometimes be difficult.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[snort] Understanding Snort Rules Fracker Linux - Security 3 04-13-2009 09:34 AM
Snort rules NBA2009 Linux - Security 1 08-11-2008 10:18 AM
How to write two snort detection rules to alert on packets to those rules romafiel *BSD 0 06-08-2007 07:00 PM
Snort, Rules Tredo Linux - Security 1 12-20-2004 12:36 AM
Snort Rules Canadian_2k2 Linux - Security 5 11-01-2002 10:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:23 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration