Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort funtionallity

From: Michael Boman <michael.boman () gmail com>
Date: Fri, 17 Dec 2004 15:35:00 +0800
Please try to keep this on the list. Others might learn from this in
the future (thanks to Google and all the mailinglist archives)

On Fri, 17 Dec 2004 02:17:13 -0500, Nick Smith <nick () computernick com> wrote:

Michael Boman wrote:


Take a deep breath and read my answers below...

On Fri, 17 Dec 2004 01:35:08 -0500, Nick Smith <nick () computernick com> wrote:

and are there any websites with a list of rules to add to
increase security of your snort install without having to write all the
rules by hand yourself?




Yes, both www.snort.org and www.bleedingsnort.com updates their rules regulary.




do you just have to copy over the new rules into the correct directory
overwriting the old?  do they ever add any new *.rules files?
if so do i need to do anything special to tell snort they are there? or
does it do that on its own?


Nope, you have to do it manually. I would recomend oinkmaster
(http://oinkmaster.sourceforge.net/) to manage the rules. It will do
the trick.

And don't forget that you have to send SIGUSR1 or restart snort for it
to pick up the updated rules.


and where would i add those rules?


Oinkmaster will take care of most of the stuff, and advice you where
you need to do some manual work.


and finally
this probably goes along with the previous question; i am getting
virtually no ICMP (<1%) traffic and no portscan traffic (0%), i know
there has to be some traffic for those, and i have a fresh install of
snort running, is there something i have to add to get snort to look for
that traffic?




Have you enabled the relevant signatures and preprocessors for those?




no clue how to do that? any advice?


Not sure, I don't know your network. I would help if you could send us
your configuration so we can have a look at it. Also check out the
snort documentation at www.snort.org.
 

Best regards
 Michael Boman


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: