|
Tuning Snort with Host Attribute Tables |
|
|
|
Source: CSO Online - Posted by Anthony Pell
|
Having trouble finding malicious activity during Snort scans? Your Snort implementation may need a tune up. Joel Esler tells you how to do it using host attribute tables. The question I receive most often in my consulting with Sourcefire and Snort clients is also the easiest to field. People generally think that tuning a Snort installation requires a mystical knowledge and a crystal ball. Being able to understand the inner-workings of an open-source product is generally speaking, a hard thing to do.
Snort is 11 years old this year. It's one of the most critically acclaimed, highly deployed, well documented, and highly praised pieces of network security software in the world. It's nearly ubiquitous. There is barely a security shop on the planet that hasn't heard of Snort now. So why does the question persist?
The truth is that there's an overwhelming amount of information -- some more useful than others -- and getting started can be daunting. If there is one tip that would make life easier it would be the use of Host Attribute tables, a feature that was introduced in Snort version 2.8.1.
Host Attribute tables give you, the Snort administrator, the ability to define what your network is to Snort. In the past, in order to tune Snort's fragmentation preprocessor (frag3 for you Snort heads), you'd have to make an entry into the snort.conf defining the OS of the target system so that Snort would reassemble fragmented packets correctly when they were headed towards the end host. Then along came the new target-based Steam preprocessor (Stream5) allowing you to do stream reassembly in a target-based mode.
Read this full article at CSO Online
Only registered users can write comments.
Please login or register. Powered by AkoComment! |
