Snort mailing list archives
RE: Policy-Based monitoring
From: "Kaplan, Andrew H." <AHKAPLAN () PARTNERS ORG>
Date: Thu, 14 Oct 2004 13:17:22 -0400
Hi Erik -- I did a check of the README.alert_order file but I am not sure as to how I can change the rule application order from it current setting of: activation->dynamic->alert->pass->log to the one I prefer which is: activation->dynamic->pass->alert->log Correct me if I'm wrong, but if I'm using a policy-based.rules file shouldn't the pass items be handled first, and then if the packet does not match any of the pass items it should then fall under the alert category? -----Original Message----- From: Schott, Erik J Mr ANOSC/FCBS [mailto:erik.schott-FCBS () NETCOM ARMY MIL] Sent: Wednesday, October 13, 2004 7:28 PM To: Kaplan, Andrew H. Subject: RE: [Snort-users] Policy-Based monitoring Hi Andrew. Where you put the rule in your snort.conf determines which rule snort selects when it receives a matching packet. The snort-2.2.0/doc/README.alert_order file is where you want to look. It explains the rule selection algorithm fairly well. HTH. Erik -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Kaplan, Andrew H. Sent: Wednesday, October 13, 2004 5:47 AM To: Snort User Group (E-mail) Subject: [Snort-users] Policy-Based monitoring Hi there -- I got Snort to operate successfully and alerts are appearing on the ACID console. My next step is to refine the monitoring, and to that end the approach that I was planning on taking was using a policy-based.rules file. I will be modifying the snort.conf file to include the line: include $RULE_PATH/policy-based.rules. The questions I have are, does the position of the new line matter? Should I put the new line at the beginning of the include statements or after them? Also, besides adding the line is there anything else that I need to do to Snort, or is simply adding the above line sufficient? Thanks. ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Policy-Based monitoring Kaplan, Andrew H. (Oct 13)
- Re: Policy-Based monitoring Jose Maria Lopez (Oct 14)
- <Possible follow-ups>
- RE: Policy-Based monitoring Kaplan, Andrew H. (Oct 14)
- FW: Policy-Based monitoring Kaplan, Andrew H. (Oct 15)