Previous Section  < Day Day Up >  Next Section

6.2 Initial Configuration

Take your time with the initial installation and configuration of your Snort system. Be sure to try things out; there are many options and a great deal of functionality at your disposal. Almost any effective information technology project will start with an inventory—an NIDS deployment is no exception. A thorough understanding of the types of systems, their location, and the services they provide will allow you to make educated decisions about how to configure your sensors.

6.2.1 Targeted IDS

If you have only Windows systems in your network, employing the rules that watch for attacks on Unix-based systems will only generate noise. If you are running Apache as your web server, eliminating the Microsoft IIS rules keeps Snort from alerting on attacks that would not affect your web servers. Look at the information on the Snort rule sets in the next chapter and the discussion of tuning Snort in Chapter 9. They will help you eliminate rules that watch for attack attempts that will only generate false-positive alerts.

Consider what you want out of your NIDS installation. The Internet is noisy with scanners, worms, scripts, and probes. Generating alerts on all this noise is of questionable value. Before the advent of all this activity, a probe was usually a genuine precursor to an attack. These days, it is nearly impossible to discern the early stages of an actual network probe from this noise. Tune your IDS to match the operating systems, software, and devices you are running in your network.

Some of the strategies presented in the next section can help you target your efforts more effectively.

    Previous Section  < Day Day Up >  Next Section