Snort mailing list archives

Re: Too many questions

From: Robby Desmond <rdesmond () els ucsb edu>
Date: Wed, 20 Nov 2002 12:25:01 -0800

At 11:17 PM 11/20/2002 +0330, Alireza Naderi wrote:

Hi All

I have too many questions about snort and its configuration
If any one know the answers, kindly explian it or tell me how can
i find the answers (documents and etc)


This is an RTFM of epic porportions.

1.how can i tell to snort that classification the alerts
to for example critical and normal ,...?


Define a custom ruletype and change the "normal" ones to that ruletype.
Custom Ruletypes are in the manual.

2.how can i tell to it that will mailing the critical alerts?


Swatch, pigsentry, a bunch of things on the snort site.
This is in the FAQ.

3.what is sensor_name in configuration files and which work
is that doing?

IF you want to name your sensor (a good idea if you have many of them), itgoes there. THe default naming scheme is "snort_eth0" or something.

In the User Manual.

4.what is TAC_Pipe_1 that i read in snort documents (freebsd)
had written that "sensor_name=TAC_Pipe_1"?

A random name that someone picked to call the sensor. If you found theFreeBSD docs, how come you didn't read the User Manual or the FAQ beforeasking questions?

5.how can i configure it that will not making alerts if the
192.168.12.3 attempt to snmp and make alerts if that ip attempt
to other types of attack?

Define a variable that excludes that IP and edit the SNMP rules. Or mantcpdump to learn to write BPFs to ignore SNMP traffic from that host.

Helpful link if you search the list archives.

6.how can i tell to snort that block the source address of icmp
attack or other kinds of attack?


Flex-resp. Gotta enable at compile.

IN the Manual and FAQ.

7.is it possible that it execute a command on the remote machine
for example change the password if detect a specific attack?

Um, I guess you could get swatch to send an email or SNMP or something. Butthen you'd be open to attack.

8.how can i tell to snort that listen on two nic (eth0, eth1)?

Manual and FAQ. Run two different instances of snort with different configsand log directories.


-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Too many questions Alireza Naderi (Nov 20)
- Re: Too many questions Matt Kettler (Nov 20)
- Re: Too many questions Robby Desmond (Nov 20)