Snort mailing list archives
Re: Snort Implementation
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 13 Jan 2004 12:22:52 -0500
At 03:29 AM 1/13/2004, yyyyyy yaher wrote:
1-What is the most stable version of Snort that have been tested ?
2.10 is the most recent stable release, but it has some issues with alert mangling in some cases. I might wait for 2.1.1 before switching to the 2.1.x series.
2.0.6 is a bit more "well tested:
2- is it possible to get Snort running on Linux Redhat without installing Mysql and ACID ? do i get all the Alerts generated by Snort in that case? and wthat is the impact on Snort Performance ?
Sure,.. acid/mysql is just one popular management interface. Snort can log to mysql, flat file, or syslog, your choice. I personally use flat file logging, and tcpdump format packet logging.
3- what are the basic commands to run Snort in IDS mode in order to capture and analyze packets and generates Alerts in simple format ?
snort -D -c /etc/snort.confThe "commands" are all in your snort.conf file.. the snort tarball comes with a snort.conf which has most all of the settings documented in it. Start with that as a template and edit it to your needs.
and how can i optimize its function in orderto filter the false positives messages and get only the real Threats?
tweak the rules that are included by your snort.conf
4-does snort.conf is updated with the most rules regarding recent attacks and worms ? and how could i verify that ?
you can download an updated snort.conf and *.rules from the snort.org website. Oinkmaster is a popular rule management tool to automate the updates.
5- our ISP can serve Dialup and Corporate( such as wave-wireless and leased line ) customers by Two Cisco 7200 routers connecting all these customers to Internet; our services ( DNS, Billing servers ,Radiator,WWW server ,..) are proteced by a PIX firewall, however the proxies are running on the Outside interface, so where is the best place to put Snort sensor in order to get a clear idea about what s happening and react immediately to block the threat?
If you only have one, stick it's tap out front where it can see everything. However, I'd advise that the sniffing interface be a stealth type interface that does not allow normal communications. Use a second interface connected behind the pix to support login, web interfaces, etc.
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Implementation yyyyyy yaher (Jan 13)
- Re: Snort Implementation Matt Kettler (Jan 13)
- <Possible follow-ups>
- Snort Implementation yyyyyy yaher (Jan 13)
- Snort Implementation yyyyyy yaher (Jan 13)