Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Implementation

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 13 Jan 2004 12:22:52 -0500
At 03:29 AM 1/13/2004, yyyyyy yaher wrote:

1-What is the most stable version of Snort that have
been tested ?
2.10 is the most recent stable release, but it has some issues with alert mangling in some cases. I might wait for 2.1.1 before switching to the 2.1.x series. 

2.0.6 is a bit more "well tested:


2- is it possible to get   Snort running  on Linux
Redhat without installing Mysql and ACID ?  do i get
all the  Alerts generated by Snort in that case? and
wthat is the impact on Snort Performance ?


Sure,.. acid/mysql is just one popular management interface.

Snort can log to mysql, flat file, or syslog, your choice.

I personally use flat file logging, and tcpdump format packet logging.




3- what are the basic commands to run Snort in IDS
mode  in order to capture and analyze  packets and
generates Alerts in simple format ?


snort -D -c /etc/snort.conf
The "commands" are all in your snort.conf file.. the snort tarball comes with a snort.conf which has most all of the settings documented in it. Start with that as a template and edit it to your needs. 


and how can i
optimize its function in orderto filter the false
positives messages  and get only the real Threats?


tweak the rules that are included by your snort.conf



4-does snort.conf is updated with the most rules
regarding recent attacks and worms ? and how could i
verify that ?
you can download an updated snort.conf and *.rules from the snort.org website. Oinkmaster is a popular rule management tool to automate the updates. 



5- our ISP can serve Dialup and Corporate( such as
wave-wireless and leased line ) customers by Two Cisco
7200 routers connecting all these customers to
Internet; our services ( DNS, Billing servers
,Radiator,WWW server ,..) are proteced by a PIX
firewall, however the proxies are running on the
Outside interface, so where is the best place to put
Snort sensor in order to get a clear idea about what s
happening and react immediately to block the threat?
If you only have one, stick it's tap out front where it can see everything. However, I'd advise that the sniffing interface be a stealth type interface that does not allow normal communications. Use a second interface connected behind the pix to support login, web interfaces, etc. 






-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: