Re: Opinion on SNORT

[Matt Carothers <matt () telepath com>]

On Wed, 22 Dec 1999, Coltrane Nyathi wrote:

> I 'll appreciate any comments on SNORT if anyone has ever used/tested it

I like snort.  It's fast, useful, and easy to install and configure.  Mind 
you, it's not as robust as NFR or similar, but it serves for simple burgler
alarms and such.

As an example, I found a couple of compromised accounts on one of my machines
that had been logged into from somewhere in Croatia.  After replacing the
login shells with Splotch [1], I invested the 60 seconds or so required to
add ...

alert tcp 161.53.0.0/16 any -> X.X.X.X/32 any (msg:"Incoming Croatian"; flags S;)
log tcp 161.53.0.0/16 any -> X.X.X.X/32 any
log udp 161.53.0.0/16 any -> X.X.X.X/32 any 

... to my Snort rules.  Now I'll get an "Incoming Croation" syslog message 
and a log of the traffic with the application layer decode if any more wiley
Croatians connect.

- Matt

[1] http://www.frenzy.com/~crack/hornyfem