Hi, everyone...
Basics:
Snort.2.3.2, base 1.0.2
I've read Snort 2.0 Intrusion Detection (Syngress)
Intrusion Detection with Snort (Sams)
Intrusion Detection with Snort (Rehman)
And thousands of emails from the users group.
I've got my sniffing interface in promiscuous mode on a mirrored port. The
source port is the one my perimeter firewall is plugged into. I'm thinking
that this means that my sniffing interface *should* be seeing all traffic going
out of the firewall *and* all traffic that the firewall is passing in. My
first question is:
Is that correct?
I'm running two snort instances on the same box. One for logging, one for
alerting. I'm attempting to verify that the alerting instance is catching
everything. No matter how much I read on the differences between the alert and
log facilities I've remained confused as to how logging works. Alerting is
easy...say something when a rule is violated. Logging also seems affected by
the rules (as in when I comment one out the logging instance no longer reports
it either). My second question is:
Why is that?
The "-z est" argument has always troubled me. I know it's there (thanks,
Marty) to defeat stick attacks, but the argument "-z est" has never worked. At
least older versions of snort wouldn't start with that in the command line.
"-z" has, so for the past three years I've never known whether I really am
looking at only established traffic or not. And when looking for chat rule
violations I don't know whether I should be...especially with the newer
"flow:established" criteria written at the rule level. My third (and final)
question is:
Does anyone know of more resources than I've read that can help me to
understand all this better?
I'll appreciate any (positive) suggestions anyone cares to provide. Thanks!
This message (including any attachments) contains confidential
information intended for a specific individual and purpose,
and is protected by law. If you are not the intended recipient,
you should delete this message and are hereby notified that any
disclosure,copying, or distribution of this message, or the taking
of any action based on it, is strictly prohibited.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id�396&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
