Re: stopping snort

[Bennett Todd <bet () rahul net>]

2002-12-13-13:54:14 Don:
> Has anyone found a way to stop snort, automatically, [...]

That's very much a platform-specific question. On platforms on which
I'd try and support snort, when it's installed the way I'd install
it, I can always stop it with "/etc/init.d/snort stop".

> what i want to do is have snort stop, if it gets more than 'x'
> alerts in a single hour, or some time frame, then of course email
> me that it has stopped.

On the platorms where I'd support snort, I'd just use swatch with a
rule to stop snort. No new engineering required. However, I wouldn't
actually set this up; instead, I'd fix the underlying problem of
looping errors.

> i do go to syslog with alerts. any suggestions. I have a
> particular sensor that periodically starts alerting on something,
> that just causes a round robin effect, and fills up the logs with
> the same error over and over and over, it gets really boring
> actually.

Sounds like the snort alert is re-triggering the alarm. You've got
several choices.

- don't ship the snort alerts off-system
- don't ship them through an interface that snort is watching
- fix the signature so it doesn't re-signal on its own alarm data
- encapsulate the alarm data in something like SSL or SSH so snort
  can't see the scary bits any more
- write a BPF filter to blind snort to the traffic stream that's
  carrying the alarms off-system
- disable the alarm that's looping

and maybe there are more alternatives.

-Bennett

Attachment: _bin
Description: