Snort mailing list archives
Re: how rules work
From: Robert Fowler <robshomemail () yahoo com>
Date: Tue, 11 Dec 2007 10:16:33 -0800 (PST)
Hi Matt/All Just two other points: If I have configured the network card with an IP address do I need to remove this before starting Snort so it listens in pernicios mode. I am using ubuntu do i need to do anything specific other that remove IP address ??? On the rules I will edit each rules one by one stupit question as I am not currently looking at a rule what comment is required to enable / disable Finally if all rules log to mysql what do I need to do to see traffic that activates a rule Thanks again Robert ----- Original Message ---- From: Matt Jonkman <jonkman () jonkmans com> To: Robert Fowler <robshomemail () yahoo com> Cc: snort-users () lists sourceforge net Sent: Tuesday, 11 December, 2007 6:06:48 PM Subject: Re: [Snort-users] how rules work Robert Fowler wrote:
Basically can I disable all rules and add them one by one ? and what file determines what rules to use ?
Best bet is to start by disabling/enabling the major categories that you might need. Also look at bleedingthreats.net for a complementary ruleset to the stock sets. Then look at what hits you get and make sure your sensor can handle the load. Then start en/disabling individual rules that are of interest to you. You can en/disable categories of rules in your snort.conf. Individual rules in the individual ruleset file most likely in your rules/ dir.
Will SNORT act as an IPS and kill my network or just it just monitor traffic ?
It can do both. Stock it'll be just monitoring. To block you have to get more complex. Go inline, use flexresponse, or something like snortsam (snortsam.net).
Also on a seperate note do I need the network interface to operate in pernicios mode and does this need a specific switch when starting snort.
It'll do that on it's own, but ya generally so. Matt
Thanks for the help Robert ------------------------------------------------------------------------ Yahoo! Answers - Get better answers from someone who knows. Try it now <http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA21haWwEc2xrA3RhZ2xpbmU>. ------------------------------------------------------------------------ ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats US Phone 765-429-0398 US Fax 312-264-0205 AUS Phone 61-42-4157-491 AUS Fax 61-29-4750-026 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc __________________________________________________________ Sent from Yahoo! Mail - a smarter inbox http://uk.mail.yahoo.com
------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how rules work Robert Fowler (Dec 11)
- Re: how rules work Matt Jonkman (Dec 11)
- <Possible follow-ups>
- Re: how rules work Robert Fowler (Dec 11)
- Re: how rules work Matt Jonkman (Dec 11)
- Unable to disable X-link2state alerts. Bachelor, Stephen A CTR USSOCOM HQ (Dec 11)
- Re: Unable to disable X-link2state alerts. Todd Wease (Dec 11)
- Re: Unable to disable X-link2state alerts. M. Shirk (Dec 11)
- Re: how rules work Matt Jonkman (Dec 11)