Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Setting up simple LAN-sniffing for bad signatures?

From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 2 Jan 2015 14:35:22 -0700
If you just want to look for bad traffic that you are specifying and not
using rules from VRT or ET, then you just want to make local.rules and have
snort read that.  It's not a database per se, but just a text file that you
create the rules in.  If it's the logging you are having problems with, you
ned to specify how you want the output to go.. to a unified2 file, syslog
or text file.

You can sniff and manage on the same interface, though it's not recommended
for production to do it that way.



On Fri, Jan 2, 2015 at 2:18 PM, PattiMichelle <miche1 () earthlink net> wrote:


 Dear Snort Users:  I'm trying to figure out how to set up Snort on my
Opensuse 13.1x64 system to sniff (and log) instances of "bad" network
traffic (via snort signature database).  It seems tricky to get this
going.  There are websites which gave me enough information to get the
sniffer operational, but I can't seem to figure out how to get to read a
database of bad signatures, and log only those bad ones.  Does anyone have
a simple DIY for this?  I'm not trying to set up an alarm or automatic
response system.  Just to have a logfile available to look at from time to
time, or maybe diff occasionally.

Also, is it necessary to run snort in a virtual machine as a "sandbox," or
else to have two NICs, one for normal LAN traffic and the other for Snort?

Thank You Very Much,
Patricia




------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is
your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: