Snort mailing list archives
Re: Setting up simple LAN-sniffing for bad signatures?
From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 2 Jan 2015 20:26:21 -0700
Please reply to the list. "All bad traffic" is variable for different people and different networks. One person might not mind Tor or P2P traffic and another will block all social media. There is no one size fits all solution. If you look at the snort.conf file near the bottom you can see the rules files that can get loaded. Pulledpork is a tool to automatically get rules from sources and modify them together of needed and then restart snort. Its config file lists URLs from VRTs community rulset and Emerging Threats free ruleset. Check out those sources of rules and then enable the ones you want to use. If you want to use custom rules, the default is to put them in local.rules. On Jan 2, 2015 7:51 PM, "PattiMichelle" <miche1 () earthlink net> wrote:
Thanks, Jeremy - I guess I would like to "sniff" for all known bad traffic. Krebs put out a Snort signature for the Sony hack software. So it would be good if it could be a text file of rules. Do you know of a DIY online for doing this? I don't really understand the terminology. I thought I understood pulledpork, but for some reason I'm not. Patricia On 01/02/2015 01:35 PM, Jeremy Hoel wrote: If you just want to look for bad traffic that you are specifying and not using rules from VRT or ET, then you just want to make local.rules and have snort read that. It's not a database per se, but just a text file that you create the rules in. If it's the logging you are having problems with, you ned to specify how you want the output to go.. to a unified2 file, syslog or text file. You can sniff and manage on the same interface, though it's not recommended for production to do it that way. On Fri, Jan 2, 2015 at 2:18 PM, PattiMichelle <miche1 () earthlink net> wrote:Dear Snort Users: I'm trying to figure out how to set up Snort on my Opensuse 13.1x64 system to sniff (and log) instances of "bad" network traffic (via snort signature database). It seems tricky to get this going. There are websites which gave me enough information to get the sniffer operational, but I can't seem to figure out how to get to read a database of bad signatures, and log only those bad ones. Does anyone have a simple DIY for this? I'm not trying to set up an alarm or automatic response system. Just to have a logfile available to look at from time to time, or maybe diff occasionally. Also, is it necessary to run snort in a virtual machine as a "sandbox," or else to have two NICs, one for normal LAN traffic and the other for Snort? Thank You Very Much, Patricia ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Setting up simple LAN-sniffing for bad signatures? PattiMichelle (Jan 02)
- Re: Setting up simple LAN-sniffing for bad signatures? Jeremy Hoel (Jan 02)
- Message not available
- Re: Setting up simple LAN-sniffing for bad signatures? Jeremy Hoel (Jan 02)
- Message not available
- Re: Setting up simple LAN-sniffing for bad signatures? Jeremy Hoel (Jan 02)