Snort mailing list archives
Re: SnortSam - a few questions
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 26 Sep 2003 14:14:26 -0500
On Fri, 2003-09-26 at 12:35, zottmann () ig com br wrote:
I have two questions regardins SnortSam, though: 1) Is there a list of "proven" attack rules, that we can use as a basis for configuring these rules to use SnortSam to block the attackers at the firewall?
Not really. It is up to each individual operator what rules he chooses to block on. False-positives are different between each individual network, so only you know which rules safe to block on in your network.
2) Although SnortSam is working fine, we dont get the alerts on Acid regarding the rule that we have chosen for the SnortSam test. Do we have to duplicate the rules that we chose to run with SnortSam, or there is another way to get Acid alerts for these rules too?
There is nothing special that needs to be done. Snortsam is an alert output plugin, so every alert rule that also has a fwsam option in it will block. If these alerts are also sent to your ACID database then you should see them. Log rules don't invoke Snortsam. So if you want to log details to a db and call Snortsam, you would have to create a custom rule type that include both the database plugin and the Snortsam plugin. Hope this helps, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- SnortSam - a few questions zottmann (Sep 26)
- Re: SnortSam - a few questions Frank Knobbe (Sep 26)