The Unbearable Lightness of False Positives

The Unbearable Lightness of False Positives

The temptation when you get access to a powerful new toy, er, tool like Snort is to overuse it. At first you will turn on every single rule. You will set them to the detailed alert mode. You will have the alerts send you pages on your cell phone. Don't!

The rule library is very conservative. Many of the rules will be triggered by ordinary activity on a large and complex network. You will be paged perpetually. These events are called false positives. The real problem with them is not that you will be pestered and hounded but that you might raise so many things to an alert level that you will miss the real cracking attempts because you are buried up to your eyes in employees accessing E-bay.

Another mistake is to use the rule libraries without giving any thought to the details of your environment. If you use only Apache Web servers, you probably don't need the rules in web-iis.rules. Are you using Snort on a single box to watch for attempts to break into just that box, or are you using it in your DMZ to watch all attempts to get through your firewall?

I haven't got room to tell you how to design an intrusion-detection system. I'm just showing you the basics of Snort. Remember that while the tool may be one-size-fits-all, you do actually have to pull in the drawstrings if you are going to keep the rain out.

Keep some of these elements in mind when you are figuring out how to fit Snort into your setup:

How many networks, hosts , routers do I want to watch?

What potentially vulnerable services do I want to monitor?

Do I or can I trust my internal hosts?

How many "ports of entry" do I have, and can Snort see them all?

How much computer power do I need? Snort can easily watch a 28.8-kbps PPP link running on a 486, but to watch an asynchronous transfer mode (ATM) router you might need a bit more than that.

That's not an exhaustive list by any means. It's just the start of the sort of questions you must ask yourself when planning to deploy Snort or indeed any other IDS (intrusion-detection system) tool.

 



Multitool Linux. Practical Uses for Open Source Software
Multitool Linux: Practical Uses for Open Source Software
ISBN: 0201734206
EAN: 2147483647
Year: 2002
Pages: 257

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net