03 January, 2008

Keeping Snort configuration updated

One thing that needs attention when keeping Snort tuned is updating the configuration variables in snort.conf when changes are made to the network. I recently noticed an alert was firing on legitimate DNS traffic because a new mail server was not in $SMTP_SERVERS. It's easy enough to add the IP to the SMTP_SERVERS variable.

In some cases, you may want that variable to hold other ones. For instance, a big company like GE might have many different sites or logical networks. It may be useful to separate the SMTP servers logically in the Snort.conf if the sensor is going to see the traffic from more than one site:

Note that you need the EAST_COAST_TV_SMTP and MICROWAVE_PROGRAMMING_SMTP variables set before they are used in the SMTP_SERVERS variable.

1 comment:

  1. You can also place these variables in a separate file aside your snort.conf, and then include the separate file with the "include" statement. Keep your variables in a file you don't update (not your snort.conf) then include them. That way you don't have to keep re-copy and pasting your variables into your Snort.conf file :)