Snort mailing list archives
RE: Does "log" still alert?
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Sat, 8 Feb 2003 13:49:24 -0600
Thanks. Once again you've been very helpful. If I may suggest something that would probably improve the site, it would be more information on the contrib stuff. Some of it has no notes at all, so a newbie like me has no idea what the programs do. I will go get oinkmaster now. :-) BTW, I've written a bash script that parses the portscan log and returns a count of each unique IP on each unique port. Usage is ./count-scan.sh port_num or ./count-scan.sh all - which will parse ports 1-1024, 1433 and 1434 from the portscan.log. If anyone is interested, I'll put up a new page on my website for some of these scripts that I'm writing. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member -----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Saturday, February 08, 2003 1:43 PM To: Schmehl, Paul L; snort-users () lists sourceforge net Subject: Re: [Snort-users] Does "log" still alert? --- "Schmehl, Paul L" <pauls () utdallas edu> wrote:
I've created a rule for resetting connections that we don't want to allow. After making sure it worked, I changed the rule action from alert to log. I was expecting this to mean that I would no longer see this rule showing up in ACID, but I still do. What does log mean? I thought it meant log, but don't alert.
Look thru the archive. Marty posted an answer about this a long time ago that explains the difference between log and alert and how the database plugin is a strange purgatory-like beast.
On a more general note, how do you handle the load of alerts you get?
I see two ways. Either you disable many of the standard rulesets, or you customize them and don't update them very regularly. Since I'm updating rules daily, the second option really isn't any option. Is there another way to do it? I'd rather not create a whole raft of custom rules, but if I disable or alter one of the standard rules, it will just be overwritten the next time that the rules are updated. How are people handling that?
Get oinkmaster. It's a pearl script with a conf file that allows you to update your ruleset via cron or whatever and have signatures automagically commented out based on the signature ID (SID). If you're at all familiar with *nix and can read it takes about 15 minutes to dl, unpack and use. As for making your own rules and having them overwritten, just create a new rules file and add it to snort.conf. I use "custom.rules", which never get updated cause the snort ruleset doesn't (and prolly never will) have anything named that.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Does "log" still alert? Schmehl, Paul L (Feb 08)
- Re: Does "log" still alert? twig les (Feb 08)
- <Possible follow-ups>
- RE: Does "log" still alert? Schmehl, Paul L (Feb 08)