Snort mailing list archives
Re: How to confirm
From: John Sage <jsage () finchhaven com>
Date: Tue, 04 Dec 2001 07:32:31 -0800
Sendhil:First, realize that snort will only log or alert on whatever the current rules you are using will detect.
That would seem to be obvious, but some people seem to miss this fact...To test, from outside the snort box, attempt to do something the current rules prohibit.
You might add rules into snort.conf that affects frequent normal traffice: # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"TCP to 110 pop3";) # alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"TCP from 110 pop3";) # or something like that. HTH.. - Johnps: In the future it would be *real* helpful if you'd give some description of your layout, and what version of snort you're running...
Sendhil Kumar wrote:
Hi list I am new to Snort. I have installed snort in my Redhat box. I want to know how to check if the snort is working as it is supposed to. I could find much information about checking in the FAQ. May be i must have missed the best part. Please give me a hint how to check this please Regards Sendhil
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to confirm Sendhil Kumar (Dec 04)
- Re: How to confirm John Sage (Dec 04)
- Re: How to confirm Matt Kettler (Dec 04)
- Re: How to confirm John Sage (Dec 04)