Snort mailing list archives
Re: stopping snort
From: Bennett Todd <bet () rahul net>
Date: Fri, 13 Dec 2002 15:46:44 -0500
2002-12-13-13:54:14 Don:
Has anyone found a way to stop snort, automatically, [...]
That's very much a platform-specific question. On platforms on which I'd try and support snort, when it's installed the way I'd install it, I can always stop it with "/etc/init.d/snort stop".
what i want to do is have snort stop, if it gets more than 'x' alerts in a single hour, or some time frame, then of course email me that it has stopped.
On the platorms where I'd support snort, I'd just use swatch with a rule to stop snort. No new engineering required. However, I wouldn't actually set this up; instead, I'd fix the underlying problem of looping errors.
i do go to syslog with alerts. any suggestions. I have a particular sensor that periodically starts alerting on something, that just causes a round robin effect, and fills up the logs with the same error over and over and over, it gets really boring actually.
Sounds like the snort alert is re-triggering the alarm. You've got several choices. - don't ship the snort alerts off-system - don't ship them through an interface that snort is watching - fix the signature so it doesn't re-signal on its own alarm data - encapsulate the alarm data in something like SSL or SSH so snort can't see the scary bits any more - write a BPF filter to blind snort to the traffic stream that's carrying the alarms off-system - disable the alarm that's looping and maybe there are more alternatives. -Bennett
Attachment:
_bin
Description:
Current thread:
- stopping snort Don (Dec 13)
- Re: stopping snort Erick Mechler (Dec 13)
- Re: stopping snort Bennett Todd (Dec 13)
- Re: stopping snort Alberto Gonzalez (Dec 13)