On 0, Arthur DiSegna <adisegna@authentium.com> wrote:
Hello,
I just installed SNORT for the first time and have noticed one of my
servers generating a lot of traffic. Most of it is legitimate web
traffic. How can I exclude the normal traffic while maintaining
intrusion checks...
Start by tuning your setup, set your HOME_NET and EXTERNAL_NET variables
in your snort.conf and start from there. The HOME_NET is normally your
internal address space and the EXTERNAL_NET could be !$HOME_NET. The
default snort.conf is generously commented.
Then start looking at other variables in there and the preprocessor
options for tuning. You might also want to look at which rule groups are
enabled and disabled too.
The manual[0] is online and there are many documents in the doc directory
of the source tarball.
[0] http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/rc1/
+--------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
There is no theory of evolution, just a list
of creatures Vin Diesel allows to live.
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
