The Unbearable
Lightness of False Positives
The temptation when you get access to a
powerful new toy, er, tool like Snort is to overuse it. At first you will turn
on every single rule. You will set them to the detailed alert mode. You will
have the alerts send you pages on your cell phone. Don't!
The rule library is very conservative. Many
of the rules will be triggered by ordinary activity on a large and complex
network. You will be paged perpetually. These events are called
that you will be pestered and hounded but that you might raise so many things
to an alert level that you will miss the real cracking attempts because you are
buried up to your eyes in employees accessing E-bay.
Another mistake is to use the rule libraries
without giving any thought to the details of your environment. If you use only
Apache Web servers, you probably don't need the rules in
watch for attempts to break into just that box, or are you using it in your DMZ
to watch all attempts to get through your firewall?
I haven't got room to tell you how to design
an intrusion-detection system. I'm just showing you the basics of Snort.
Remember that while the tool may be one-size-fits-all, you do actually have to
pull in the drawstrings if you are going to keep the rain out.
Keep some of these elements in mind when you
are figuring out how to fit Snort into your setup:
How many networks, hosts, routers do I want
to watch?
What potentially vulnerable services do I
want to monitor?
Do I or can I trust my internal hosts?
How many "ports of entry" do I
have, and can Snort see them all?
How much computer power do I need? Snort can
easily watch a 28.8-kbps PPP link running on a 486, but to watch an
asynchronous transfer mode (ATM) router you might need a bit more than that.
That's not an exhaustive list by any means. It's
just the start of the sort of questions you must ask yourself when planning to
deploy Snort or indeed any other IDS (intrusion-detection system) tool.
No comments:
Post a Comment