As you know, I use snort as my IDS product of choice at home. Sometimes I see questions from other people who use snort that just strike me as being dumb questions. Now I understand if you were suddenly told by your boss, "Guess what? You're the new person in charge of our IDS". You have my sympathy. There will obviously be a learning curve for you if you've never managed an IDS or IPS. The people I don't have sympathy for are the ones who have fancy titles like Sr. Security Analyst or Senior Network Engineer, who ask the dumb questions. These people should just know better.
Below is a list of things I thought of off the top of my head that these people should know:
Place your snort sensor inside your firewall. Put it as close to the same network segment that you want to monitor as possible. Don't put it outside your perimeter firewall. You don't need to care about everyone who is knocking at your door. If you want to keep them out, that's why you have a firewall. If you place the sensor outside the firewall, you will get so many alerts that you won't be able to manage them.
Which brings me to my next point...Snort is not a firewall. Please don't treat it like one. Before you ask yourself if snort can block certain traffic, the better question would be to ask if your firewall can block it before it even makes it inside your network. So if you want to do something like rate-limit certain traffic coming from outside to your internal network, do it at your firewall.
Tune your IDS/IPS for your environment. An IDS isn't a set it and forget it type of device. Yes, you should go through all the rules and turn off the ones that do not apply to your environment. If you don't have time, make time. It's that important to the performance of your sensor. If you're not running any Windows machines, then turn off all the rules that apply to Windows hosts.
Don't write rules for every piece of malware under the sun. Let your antivirus software do its job. You do have antivirus software, right?
Do not enable the portscan preprocessor. It will affect performance and gives you very little in terms of value. So what if someone ran a portscan? A portscan is not an exploit. It is not even necessarily a precursor to an exploit. And trust me, someone is always port scanning at your perimeter. Know that and move on.
Using snort to block access to particular websites. Again, this is a task that is better suited for your firewall or proxy.
Don't expect sympathy if you are concerned about running a rule for a 10 year old exploit that only affects certain older versions of software. You had 10 years to move off of that software version. Just because you chose not to does not make it my problem. An IDS isn't designed to replace your patching procedure. It's designed to buy you the time you need to get your software patched. Once the software is patched you should turn off that specific rule because you don't need it any longer.
I'm sure that given enough time I could probably write a book with tips like the above. Right now, however, I'm a little short on time and think that what I've said so far is a good start for anyone who manages an intrusion system.
No comments:
Post a Comment