Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort on OSSIM

From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Wed, 17 Mar 2010 10:39:05 -0400
Kaushal,

I see at https://www.alienvault.com/forum/index.php?t=msg&th=1755&start=0&S=b8d60b94e6c1d460ebf808dfc78343a5 that you 
couldn't find where this used to be, under Configuration->Plugins.  I have not used 2.2, so I don't know where to 
change the priorities or reliability for rules in this case, as that is where it used to be.  Each of the rules should 
have a priority setting and a reliability that you can adjust, but usually the default levels are pretty spot-on for 
what you need.  Keep in mind though, that if you want to stop getting an alert for a certain rule from Snort, you are 
better off using thresholding or suppression (via Snort, aka backend).  If you want to raise the reliability or the 
priority though, that is where I would recommend making the change via the OSSIM web interface.  As far as where to do 
that now, you may want to email Dominique Karg over at Alienvault.

-Parker

-----Original Message-----
From: Kaushal Shriyan [mailto:kaushalshriyan () gmail com]
Sent: Wednesday, March 17, 2010 9:38 AM
To: Crook, Parker
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort on OSSIM

On Wed, Mar 17, 2010 at 6:50 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:

Kaushal,

I honestly don't think you can configure Snort via the OSSIM web interface -- since there are only a number of 
settings that are passed from the OSSIM configs to the snort.debian.conf file it would stand to reason that OSSIM 
itself is not reading the snort.conf file to pass it up to the webpage (since OSSIM never touches the file, but 
instead evokes the settings in the snort.debian.conf as command-line options).

Pretty much the only thing you can configure in the web interface for Snort is the priority and reliability of the 
rules.

-Parker


Hi Parker,

Thanks for the quick reply.

where do i configure in the web interface for Snort the priority and
reliability of the rules ? I checked under Configuration > Collection.

Could not locate it. I am using OSSIM 2.2

Please guide.

Thanks and Regards,

Kaushal

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: