Re: SnortSam - a few questions

[Frank Knobbe <frank () knobbe us>]

On Fri, 2003-09-26 at 12:35, zottmann () ig com br wrote:
> I have two questions regardins SnortSam, though: 
>
> 1) Is there a list of "proven" attack rules, that we can use as a basis for 
> configuring these rules to use SnortSam to block the attackers at the 
> firewall? 

Not really. It is up to each individual operator what rules he chooses
to block on. False-positives are different between each individual
network, so only you know which rules safe to block on in your network.

> 2) Although SnortSam is working fine, we dont get the alerts on Acid 
> regarding the rule that we have chosen for the SnortSam test. Do we have to 
> duplicate the rules that we chose to run with SnortSam, or there is another 
> way to get Acid alerts for these rules too? 

There is nothing special that needs to be done. Snortsam is an alert
output plugin, so every alert rule that also has a fwsam option in it
will block. If these alerts are also sent to your ACID database then you
should see them. Log rules don't invoke Snortsam. So if you want to log
details to a db and call Snortsam, you would have to create a custom
rule type that include both the database plugin and the Snortsam plugin.

Hope this helps,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part