Snort mailing list archives
Re: snort funtionallity
From: Nick Smith <nick () computernick com>
Date: Fri, 17 Dec 2004 02:30:32 -0500
Michael Boman wrote:
Take a deep breath and read my answers below...On Fri, 17 Dec 2004 01:35:08 -0500, Nick Smith <nick () computernick com> wrote:isnt there a way to have snort email you when a serious attack occurs? i thought i remembered reading that some where but cant find it now.http://www.snort.org/docs/FAQ.txt FAQ #5.9
well that answers that, i could of swore i saw that somewhere though,
also is ACID the best console for snort? or are they any better ones out there?Personally I swear by SGUIL (www.sguil.net), but that's just me ;)
ill look into that thanks
do you just have to copy over the new rules into the correct directory overwriting the old? do they ever add any new *.rules files? if so do i need to do anything special to tell snort they are there? or does it do that on its own?and are there any websites with a list of rules to add to increase security of your snort install without having to write all the rules by hand yourself?Yes, both www.snort.org and www.bleedingsnort.com updates their rules regulary.
and where would i add those rules?If you write your own rules you usually put them in local.rules.
found it thanks
and finally this probably goes along with the previous question; i am getting virtually no ICMP (<1%) traffic and no portscan traffic (0%), i know there has to be some traffic for those, and i have a fresh install of snort running, is there something i have to add to get snort to look for that traffic?Have you enabled the relevant signatures and preprocessors for those?
no clue how to do that? any advice?
thanks for any and all help, im very new to snort and acid and need all the help i can getDon't worry, we all were there at one point of time. My suggestion: Pick up some books on Network IDS and Snort. TCP/IP Illustrated vol. 1 is also recomended. And don't forget Richard's book "The Tao of Network Security Monitoring: Beyond Intrusion Detection". You have some links to sample chapters etc. at http://www.taosecurity.com/books.html Good luck! /Michael Boman
thanks for your quick responce its helped alot Nick
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort funtionallity Nick Smith (Dec 16)
- Re: snort funtionallity Michael Boman (Dec 16)
- Re: snort funtionallity Nick Smith (Dec 16)
- Message not available
- Re: snort funtionallity Michael Boman (Dec 16)
- Re: snort funtionallity Nick Smith (Dec 17)
- Re: snort funtionallity Nerijus Krukauskas (Dec 17)
- Any way to do "default" threshold? Jeff Kell (Dec 17)
- Re: Any way to do "default" threshold? Jeremy Hewlett (Dec 17)
- Re: snort funtionallity Michael Boman (Dec 16)
- Re: snort funtionallity Nick Smith (Dec 17)
- Re: snort funtionallity Dino Dragovic (Dec 17)