Snort mailing list archives
Re: Does "log" still alert?
From: twig les <twigles () yahoo com>
Date: Sat, 8 Feb 2003 11:42:33 -0800 (PST)
--- "Schmehl, Paul L" <pauls () utdallas edu> wrote:
I've created a rule for resetting connections that we don't want to allow. After making sure it worked, I changed the rule action from alert to log. I was expecting this to mean that I would no longer see this rule showing up in ACID, but I still do. What does log mean? I thought it meant log, but don't alert.
Look thru the archive. Marty posted an answer about this a long time ago that explains the difference between log and alert and how the database plugin is a strange purgatory-like beast.
On a more general note, how do you handle the load of alerts you get? I see two ways. Either you disable many of the standard rulesets, or you customize them and don't update them very regularly. Since I'm updating rules daily, the second option really isn't any option. Is there another way to do it? I'd rather not create a whole raft of custom rules, but if I disable or alter one of the standard rules, it will just be overwritten the next time that the rules are updated. How are people handling that?
Get oinkmaster. It's a pearl script with a conf file that allows you to update your ruleset via cron or whatever and have signatures automagically commented out based on the signature ID (SID). If you're at all familiar with *nix and can read it takes about 15 minutes to dl, unpack and use. As for making your own rules and having them overwritten, just create a new rules file and add it to snort.conf. I use "custom.rules", which never get updated cause the snort ruleset doesn't (and prolly never will) have anything named that.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Does "log" still alert? Schmehl, Paul L (Feb 08)
- Re: Does "log" still alert? twig les (Feb 08)
- <Possible follow-ups>
- RE: Does "log" still alert? Schmehl, Paul L (Feb 08)