Snort: How do I determine which categories to use?
-
I have a very small home network but I'm using a fairly powerful x86 box for pfSense so I'd like to fool around with Snort.
Here's basically what I have:
- IIS / Apache web servers
- SQL / MySQL database servers
- Other web gui servers (eg. web guis for configuring differently applications)
- SSH server
- Game servers
How do I determine which rule categories to select? Also, why can't I choose anything besides "default" for my home and external networks?
Finally, do I need to use barnyard2? What is the disadvantage to not using it?
-
Well you basically answer your own question by listing what you have =) It is all in the name of the category. It would be useful to have small description but I think that is because rules are maintained by http://www.snort.org
Home and external networks I think are for load balancing but I am not sure.
No you do not need barnyard2. It basically makes snort's alert system/logging operate faster because it uses a database instead of a txt file.
How do you get it to work? I am still trying to get it to work with a remote database once I figure it out I will try to write up a small tutorial.
-
Thanks for the reply… I wish there was more documentation on the rules (but even snort.org doesn't provide any documentation on them either?)
Anyways, how would I detect port scanning? I've turned on the preprocessor directive and tried a couple of categories that looked appropriate but nothing ever showed me in my log even though I did a remote portscan from grc.com.
-
Heh try all the categories with "scan" in the name. Try the ICMP categories if your scan doesn't show. Also make sure snort is running on the WAN interface. It should be green if it is running.