Snort mailing list archives
Re: Only monitor high severity alerts
From: Tom Voussure <tom.voussure () gmail com>
Date: Fri, 2 Nov 2012 16:47:19 +0100
Hi Jeremy, I've installed a security onion distro, with Snort, pulledpork, mysql db and i use snorby as Snort-gui. I just installed everything in the default mode, and get around +50gb off diskusage per day. I have a network with +5000 devices, so there are indeed some false positives, but filtering out some source/destination ips will not do the trick i'm afraid. It would be nice that i could filter at the source, meaning only having rules for high severity alerts or let snort only process these types of alerts. As i'm new, all hints are very much appreciated! Thx, Tom On 2-nov.-2012, at 16:17, Jeremy Hoel <jthoel () gmail com> wrote:
Well, what are you using to monitor the alerts? Also, if you can look at the large number alerts, they might false positives (ie: port scan proccessor, or IPC$ from file servers to clients), and that's where tweaking the IP variables and disabling or threshold (by ip) rules comes in. On Fri, Nov 2, 2012 at 3:09 PM, Tom Voussure <tom.voussure () gmail com> wrote:Hi, I've installed Snort some days ago for the first time, so i'm still a newby :-) I've configured a SPAN port to monitor all our incoming/outgoing traffic from the internet and got lots of alerts (around 50.000 in 3 days times). As I can't review all of them, I would like to start concentrating on the high severity alerts only, and let the medium and low severity alerts untouched. Is there an easy way to only monitor the high severity alerts or to download only rules for high severity alerts? Thanks ! tom ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)
- Re: Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)
- Re: Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts JJC (Nov 02)
- Re: Only monitor high severity alerts waldo kitty (Nov 02)
- Re: Only monitor high severity alerts Tom Voussure (Nov 02)
- Re: Only monitor high severity alerts Jeremy Hoel (Nov 02)