Snort mailing list archives

Re: IDS

From: Syed Tariq Mustafa <Mustafast () ALJ COM>
Date: Mon, 10 Jul 2017 16:06:50 +0000

Please unsubscribe me from this list. I tried to do it myself but the messages keep coming!!

Thank you.



Sent from my Samsung device


-------- Original message --------
From: Justin Pederson via Snort-users <snort-users () lists snort org>
Date: 10/07/2017 7:05 PM (GMT+03:00)
To: "Al Lewis (allewi)" <allewi () cisco com>
Cc: Snort-users () lists snort org
Subject: Re: [Snort-users] IDS

I just grabbed a file from packettotal.  Is there any way to run it against my current rules set to see if it triggers 
anything?

On Mon, Jul 10, 2017 at 10:37 AM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote:
“Best” would depend on what you are trying to do.

If you are “tweaking/tuning/learning/testing” etc .. rules then a pcap definitely works better than trying to use live 
traffic.

Even with live traffic you may want to log things in binary format that alert.

Then come back and analyze them later.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
Justin Pederson via Snort-users <Snort-users () lists snort org<mailto:Snort-users () lists snort org>>
Reply-To: Justin Pederson <jpedersm () gmail com<mailto:jpedersm () gmail com>>
Date: Monday, July 10, 2017 at 11:15 AM
To: "Snort-users () lists snort org<mailto:Snort-users () lists snort org>" <Snort-users () lists snort 
org<mailto:Snort-users () lists snort org>>
Subject: [Snort-users] IDS

What is the best way to set snort up?  Either have it just look at the live packets as they come in or to form a pcap 
then to look into the pcap?

Conﬁdentiality and Disclaimer Notice This email, including any attachment(s) is intended solely for the recipient(s) 
named above and includes proprietary, conﬁdential and legally privileged information. It should not be read, copied, 
forwarded or otherwise used by any other person. If you are not a named recipient, please contact the sender or the IT 
Manager of ALJ Co Ltd (e-mail ITManager () alj com) and delete the e-mail from your system immediately. Access by any 
other person to this e-mail is not authorized. Any unauthorized use or disclosure of this e-mail or of the information 
contained therein or any copying, distribution, dissemination of it is prohibited, and illegal. E-mail transmission 
cannot be guaranteed to be timely, secure, error or virus free. Abdul Latif Jameel Co. Ltd. or its 
subsidiaries/affiliates do not accept any liability whatsoever for any losses, damages, errors, omissions, corruption 
or viruses which could be contained within this e-mail or within any ﬁles attached/transmitted with it, or which may 
arise as a result of its transmission. Any views or opinions expressed by an individual within this e-mail do not 
necessarily reﬂect the views or opinions of Abdul Latif Jameel Co. Ltd. or its subsidiaries/affiliates.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

IDS Justin Pederson via Snort-users (Jul 10)
- Re: IDS Al Lewis (allewi) via Snort-users (Jul 10)
  - Re: IDS Justin Pederson via Snort-users (Jul 10)
    - Re: IDS Al Lewis (allewi) via Snort-users (Jul 10)
    - Re: IDS Syed Tariq Mustafa (Jul 10)
- Re: IDS Jason Hellenthal (Jul 10)
  - Re: IDS Justin Pederson via Snort-users (Jul 10)
    - Re: IDS Jason Hellenthal (Jul 10)
    - Re: IDS Justin Pederson via Snort-users (Jul 10)