Snort mailing list archives
Re: snort funtionallity
From: Michael Boman <michael.boman () gmail com>
Date: Fri, 17 Dec 2004 15:35:00 +0800
Please try to keep this on the list. Others might learn from this in the future (thanks to Google and all the mailinglist archives) On Fri, 17 Dec 2004 02:17:13 -0500, Nick Smith <nick () computernick com> wrote:
Michael Boman wrote:Take a deep breath and read my answers below... On Fri, 17 Dec 2004 01:35:08 -0500, Nick Smith <nick () computernick com> wrote:and are there any websites with a list of rules to add to increase security of your snort install without having to write all the rules by hand yourself?Yes, both www.snort.org and www.bleedingsnort.com updates their rules regulary.do you just have to copy over the new rules into the correct directory overwriting the old? do they ever add any new *.rules files? if so do i need to do anything special to tell snort they are there? or does it do that on its own?
Nope, you have to do it manually. I would recomend oinkmaster (http://oinkmaster.sourceforge.net/) to manage the rules. It will do the trick. And don't forget that you have to send SIGUSR1 or restart snort for it to pick up the updated rules.
and where would i add those rules?
Oinkmaster will take care of most of the stuff, and advice you where you need to do some manual work.
and finally this probably goes along with the previous question; i am getting virtually no ICMP (<1%) traffic and no portscan traffic (0%), i know there has to be some traffic for those, and i have a fresh install of snort running, is there something i have to add to get snort to look for that traffic?Have you enabled the relevant signatures and preprocessors for those?no clue how to do that? any advice?
Not sure, I don't know your network. I would help if you could send us your configuration so we can have a look at it. Also check out the snort documentation at www.snort.org. Best regards Michael Boman ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort funtionallity Nick Smith (Dec 16)
- Re: snort funtionallity Michael Boman (Dec 16)
- Re: snort funtionallity Nick Smith (Dec 16)
- Message not available
- Re: snort funtionallity Michael Boman (Dec 16)
- Re: snort funtionallity Nick Smith (Dec 17)
- Re: snort funtionallity Nerijus Krukauskas (Dec 17)
- Any way to do "default" threshold? Jeff Kell (Dec 17)
- Re: Any way to do "default" threshold? Jeremy Hewlett (Dec 17)
- Re: snort funtionallity Michael Boman (Dec 16)
- Re: snort funtionallity Nick Smith (Dec 17)
- Re: snort funtionallity Dino Dragovic (Dec 17)