Snort mailing list archives
Re: how rules work
From: Matt Jonkman <jonkman () jonkmans com>
Date: Tue, 11 Dec 2007 13:31:09 -0500
Robert Fowler wrote:
If I have configured the network card with an IP address do I need to remove this before starting Snort so it listens in pernicios mode. I am using ubuntu do i need to do anything specific other that remove IP address ???
If you don't NEED an IP on the sensing interface it's better off not having one.
On the rules I will edit each rules one by one stupit question as I am not currently looking at a rule what comment is required to enable / disable
Comment them out, start the line with a #.
Finally if all rules log to mysql what do I need to do to see traffic that activates a rule
The payloads will be included with most rules inside mysql/base. If you want to see entire streams look at sguil. It's a good deal more complex to setup and use, but will give you much greater data in return. I'd stay with base for a bit till you get an idea of what you're doing, then check out sguil when you have your current install so screwed up from testing that you have to rebuild. :) Matt
Thanks again Robert ----- Original Message ---- From: Matt Jonkman <jonkman () jonkmans com> To: Robert Fowler <robshomemail () yahoo com> Cc: snort-users () lists sourceforge net Sent: Tuesday, 11 December, 2007 6:06:48 PM Subject: Re: [Snort-users] how rules work Robert Fowler wrote:Basically can I disable all rules and add them one by one ? and what file determines what rules to use ?Best bet is to start by disabling/enabling the major categories that you might need. Also look at bleedingthreats.net for a complementary ruleset to the stock sets. Then look at what hits you get and make sure your sensor can handle the load. Then start en/disabling individual rules that are of interest to you. You can en/disable categories of rules in your snort.conf. Individual rules in the individual ruleset file most likely in your rules/ dir.Will SNORT act as an IPS and kill my network or just it just monitor traffic ?It can do both. Stock it'll be just monitoring. To block you have to get more complex. Go inline, use flexresponse, or something like snortsam (snortsam.net).Also on a seperate note do I need the network interface to operate in pernicios mode and does this need a specific switch when starting snort.It'll do that on it's own, but ya generally so. MattThanks for the help Robert ------------------------------------------------------------------------ Yahoo! Answers - Get better answers from someone who knows. Try it now<http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA21haWwEc2xrA3RhZ2xpbmU>.------------------------------------------------------------------------ ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- -------------------------------------------- Matthew Jonkman Emerging Threats US Phone 765-429-0398 US Fax 312-264-0205 AUS Phone 61-42-4157-491 AUS Fax 61-29-4750-026 http://www.emergingthreats.net <http://www.emergingthreats.net/> -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------ Support the World Aids Awareness campaign this month with Yahoo! for Good <http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=51947/*http://uk.promotions.yahoo.com/forgood/>
-- -------------------------------------------- Matthew Jonkman Emerging Threats US Phone 765-429-0398 US Fax 312-264-0205 AUS Phone 61-42-4157-491 AUS Fax 61-29-4750-026 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how rules work Robert Fowler (Dec 11)
- Re: how rules work Matt Jonkman (Dec 11)
- <Possible follow-ups>
- Re: how rules work Robert Fowler (Dec 11)
- Re: how rules work Matt Jonkman (Dec 11)
- Unable to disable X-link2state alerts. Bachelor, Stephen A CTR USSOCOM HQ (Dec 11)
- Re: Unable to disable X-link2state alerts. Todd Wease (Dec 11)
- Re: Unable to disable X-link2state alerts. M. Shirk (Dec 11)
- Re: how rules work Matt Jonkman (Dec 11)