RE: Does "log" still alert?

["Schmehl, Paul L" <pauls () utdallas edu>]

Thanks.  Once again you've been very helpful.  If I may suggest
something that would probably improve the site, it would be more
information on the contrib stuff.  Some of it has no notes at all, so a
newbie like me has no idea what the programs do.

I will go get oinkmaster now. :-)

BTW, I've written a bash script that parses the portscan log and returns
a count of each unique IP on each unique port.  Usage is ./count-scan.sh
port_num or ./count-scan.sh all - which will parse ports 1-1024, 1433
and 1434 from the portscan.log.  If anyone is interested, I'll put up a
new page on my website for some of these scripts that I'm writing.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member 


-----Original Message-----
From: twig les [mailto:twigles () yahoo com] 
Sent: Saturday, February 08, 2003 1:43 PM
To: Schmehl, Paul L; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Does "log" still alert?



--- "Schmehl, Paul L" <pauls () utdallas edu> wrote:
> I've created a rule for resetting connections that we don't want to
> allow.  After making sure it worked, I changed the rule action
> from
> alert to log.  I was expecting this to mean that I would no
> longer see
> this rule showing up in ACID, but I still do.  What does log
> mean?  I
> thought it meant log, but don't alert.

Look thru the archive.  Marty posted an answer about this a long time
ago that explains the difference between log and alert and how the
database plugin is a strange purgatory-like beast.


> On a more general note, how do you handle the load of alerts you get?

> I see two ways.  Either you disable many of the standard
> rulesets, or you
> customize them and don't update them very regularly.  Since
> I'm updating
> rules daily, the second option really isn't any option.  Is
> there
> another way to do it?  I'd rather not create a whole raft of
> custom
> rules, but if I disable or alter one of the standard rules, it
> will just
> be overwritten the next time that the rules are updated.
>
> How are people handling that?

Get oinkmaster.  It's a pearl script with a conf file that allows you to
update your ruleset via cron or whatever and have signatures
automagically commented out based on the signature ID (SID).  If you're
at all familiar with *nix and can read it takes about 15 minutes to dl,
unpack and use.

As for making your own rules and having them overwritten, just create a
new rules file and add it to snort.conf.  I use "custom.rules", which
never get updated cause the snort ruleset doesn't (and prolly never
will) have anything named that.

> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas http://www.utdallas.edu/~pauls/
> AVIEN Founding Member 
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.

-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users