Firewall Wizards mailing list archives
Re: Opinion on SNORT
From: Matt Carothers <matt () telepath com>
Date: Tue, 28 Dec 1999 17:26:03 -0600 (CST)
On Wed, 22 Dec 1999, Coltrane Nyathi wrote:
I 'll appreciate any comments on SNORT if anyone has ever used/tested it
I like snort. It's fast, useful, and easy to install and configure. Mind you, it's not as robust as NFR or similar, but it serves for simple burgler alarms and such. As an example, I found a couple of compromised accounts on one of my machines that had been logged into from somewhere in Croatia. After replacing the login shells with Splotch [1], I invested the 60 seconds or so required to add ... alert tcp 161.53.0.0/16 any -> X.X.X.X/32 any (msg:"Incoming Croatian"; flags S;) log tcp 161.53.0.0/16 any -> X.X.X.X/32 any log udp 161.53.0.0/16 any -> X.X.X.X/32 any ... to my Snort rules. Now I'll get an "Incoming Croation" syslog message and a log of the traffic with the application layer decode if any more wiley Croatians connect. - Matt [1] http://www.frenzy.com/~crack/hornyfem
Current thread:
- Opinion on SNORT Coltrane Nyathi (Dec 22)
- Re: Opinion on SNORT Matt Carothers (Dec 28)