Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Only monitor high severity alerts

From: Tom Voussure <tom.voussure () gmail com>
Date: Fri, 2 Nov 2012 16:47:19 +0100
Hi Jeremy,

I've installed a security onion distro, with Snort, pulledpork, mysql db and i use snorby as Snort-gui.

I just installed everything in the default mode, and get around +50gb off diskusage per day.

I have a network with +5000 devices, so there are indeed some false positives, but filtering out some 
source/destination ips will not do the trick i'm afraid.

It would be nice that i could filter at the source, meaning only having rules for high severity alerts or let snort 
only process these types of alerts.

As i'm new, all hints are very much appreciated!

Thx,
Tom





On 2-nov.-2012, at 16:17, Jeremy Hoel <jthoel () gmail com> wrote:


Well, what are you using to monitor the alerts?

Also, if you can look at the large number alerts, they might false positives (ie: port scan proccessor, or IPC$ from 
file servers to clients), and that's where tweaking the IP variables and disabling or threshold (by ip) rules comes 
in.


On Fri, Nov 2, 2012 at 3:09 PM, Tom Voussure <tom.voussure () gmail com> wrote:

Hi,
I've installed Snort some days ago for the first time, so i'm still a newby :-)

I've configured a SPAN port to monitor all our incoming/outgoing traffic from the internet and got lots of alerts 
(around 50.000 in 3 days times).

As I can't review all of them, I would like to start concentrating on the high severity alerts only, and let the 
medium and low severity alerts untouched.

Is there an easy way to only monitor the high severity alerts or to download only rules for high severity alerts?

Thanks !
tom


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: