Re: snort log has a bunch of different attacks - should I be worried
On Saturday 08 March 2003 8:40 am, Shri Shrikumar wrote:
> Re: snort log has a bunch of different attacks - should I be worried
> From: Shri Shrikumar <shri@urbyte.com>
> To: debian-user@lists.debian.org
>
> On Sat, 2003-03-08 at 15:54, nate wrote:
> > Shri Shrikumar said:
> > > Hello,
> > >
> > > I have been running a server for a few months now for a hobby site and
> > > had installed snort. I have reports of a whole range of attacks on the
> > > server IP including
> >
> > in default configuration snort will detect about 97-99% false positives
> > as far as "intrusion" goes. at my last employer, without configuration
> > on 2 T1s with ~5% utilization on each I got upwards of 40,000 events per
> > hour. It took about 75 hours of log analysis and tuning to get that
> > number down to a more managable level of ~20 events/hour.
> >
> > so in most cases your fine. all of the attacks you list look pretty
> > harmless to me.
>
> Thanks nate. Is there a site which lists these things in more detail so
> I know if the ones that show up are safe or not.
It's best to understand how networks function, and TCP/IP, and all those good
things. The Snort homepage has a list of Snort's rules, and what they mean.
The Snort user groups are active and helpful.
Bruce Schneier and Lance Spitzner have both written books, and reams of online
stuff, on computer security, a quick Googling will return tons of useful
information. Also the O'Reilly book, TCP/IP Network Administration, I found
extremely useful. Having at least a medium-deep knowledge of TCP/IP makes
everything else more comprehensible.
--
~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
www.tuxcomputing.com
this message brought to you
by Libranet 2.7 and Kmail
~~~~~~~~~~~~~~~~~~~~~~~~~
Reply to: