Snort mailing list archives
Re: new snort user
From: james <hackerwacker () cybermesa com>
Date: 29 Nov 2003 01:54:35 -0700
What OS & platform are you running this on ? I'll guess *nix. "ps -ax | grep snort" or just a "ps -ax" and look for it. If you have a busy network, Snort will hang out at the top of a "top" command. All of this depends on OS, so it would help to know that. Start snort without the "-D" and see what happens, it either will or will not load. Easy. It even tells you what did not work. As to starting command flags, it really depends on how you want to log (full/some headers & binary), , and some other behaviors. So it depends on what you want to do and how you like your data to be collected. Take a look at what you are collecting now and see if you find it useful. There is not "right" way, as long as it runs ! the "-l" is to set the dir for logging. "-b" means you are capturing any packets that match your rules, in binary format. If that is what you want, then I would just specify a path to the "-l" flag, like "-l /var/log/snort/" and you are good to go. You might find these flags useful: snort -c snort.conf -l /var/log/snort/ -A full "-A full" gives you a nice log called "alert" with just the full headers, in ascii decode, ie txt format. The name of the rule matched & packet headers for every rule match are written to "alert"file. This format might be more useful to you, but if you want binary capture too, just add the flags. Fire up snort and "tail -f alert" to see what is going on. What is on your network ? Servers, clients ? MS, Linux, or Plan9 ? With this in mind, go to the end of your config and comment out all the rules you do not need. Then you play the game of "do I live with this many alerts or do a comment out rule X". You should read the book "TCP/IP Illustrated" to better answer this question, it is a really good read, even for a tech book. Is a real alert or a false positive is a somewhat personal question, with respect to the network Snort is listening to. Some alerts are bad in almost all situations but for many, it depends on what you think is OK and your network. If you have mail, web, or whatever servers, by all means define them in your conf. The Internet is very noisy, so don't throw all your rules at your whole address space. If you want to detect scans, you are good to go. Do keep in mind, with your Snort box you have now done most of the hackers job, he just has to crack your box. As your box hears everything it makes a great target. Read up on securing your OS. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new snort user Fred McFeeters (Nov 28)
- Re: new snort user james (Nov 29)
- <Possible follow-ups>
- New Snort User Benny Late (Dec 31)