Snort mailing list archives
Re: Too many questions
From: Robby Desmond <rdesmond () els ucsb edu>
Date: Wed, 20 Nov 2002 12:25:01 -0800
At 11:17 PM 11/20/2002 +0330, Alireza Naderi wrote:
Hi All I have too many questions about snort and its configuration If any one know the answers, kindly explian it or tell me how can i find the answers (documents and etc)
This is an RTFM of epic porportions.
1.how can i tell to snort that classification the alerts to for example critical and normal ,...?
Define a custom ruletype and change the "normal" ones to that ruletype. Custom Ruletypes are in the manual.
2.how can i tell to it that will mailing the critical alerts?
Swatch, pigsentry, a bunch of things on the snort site. This is in the FAQ.
3.what is sensor_name in configuration files and which work is that doing?
IF you want to name your sensor (a good idea if you have many of them), it goes there. THe default naming scheme is "snort_eth0" or something.
In the User Manual.
4.what is TAC_Pipe_1 that i read in snort documents (freebsd) had written that "sensor_name=TAC_Pipe_1"?
A random name that someone picked to call the sensor. If you found the FreeBSD docs, how come you didn't read the User Manual or the FAQ before asking questions?
5.how can i configure it that will not making alerts if the 192.168.12.3 attempt to snmp and make alerts if that ip attempt to other types of attack?
Define a variable that excludes that IP and edit the SNMP rules. Or man tcpdump to learn to write BPFs to ignore SNMP traffic from that host.
Helpful link if you search the list archives.
6.how can i tell to snort that block the source address of icmp attack or other kinds of attack?
Flex-resp. Gotta enable at compile. IN the Manual and FAQ.
7.is it possible that it execute a command on the remote machine for example change the password if detect a specific attack?
Um, I guess you could get swatch to send an email or SNMP or something. But then you'd be open to attack.
8.how can i tell to snort that listen on two nic (eth0, eth1)?
Manual and FAQ. Run two different instances of snort with different configs and log directories.
-Robby Robert Desmond Systems Administrator UCSB Extended Learning Services 805-893-4906 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Too many questions Alireza Naderi (Nov 20)
- Re: Too many questions Matt Kettler (Nov 20)
- Re: Too many questions Robby Desmond (Nov 20)