Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] how rules work

from [Robert Fowler] Network Security [Permanent Link]
Subject: Re: [Snort-users] how rules work
Date: Tue, 11 Dec 2007 10:16:33 -0800 (PST) 
Hi Matt/All

Just two other points:

If I have configured the network card with an IP address do I need to remove 
this before starting Snort so it listens in pernicios mode.  I am using ubuntu 
do i need to do anything specific other that remove IP address ???

On the rules I will edit each rules one by one stupit question as I am not 
currently  looking at a rule what comment is required to enable / disable

Finally if all rules log to mysql what do I need to do to see traffic that 
activates a rule

Thanks again 
Robert





----- Original Message ----
From: Matt Jonkman <jonkman@jonkmans.com>
To: Robert Fowler <robshomemail@yahoo.com>
Cc: snort-users@lists.sourceforge.net
Sent: Tuesday, 11 December, 2007 6:06:48 PM
Subject: Re: [Snort-users] how rules work


Robert Fowler wrote:

Basically can I disable all rules and add them one by one ? and what
file determines what rules to use ? 


Best bet is to start by disabling/enabling the major categories that you
might need. Also look at bleedingthreats.net for a complementary ruleset
to the stock sets.

Then look at what hits you get and make sure your sensor can handle the
load. Then start en/disabling individual rules that are of interest to you.

You can en/disable categories of rules in your snort.conf. Individual
rules in the individual ruleset file most likely in your rules/ dir.


Will SNORT act as an IPS and kill my network or just it just monitor
traffic ?


It can do both. Stock it'll be just monitoring. To block you have to get
more complex. Go inline, use flexresponse, or something like snortsam
(snortsam.net).


 
Also on a seperate note do I need the network interface to operate in
pernicios mode and does this need a specific switch when starting snort.
 


It'll do that on it's own, but ya generally so.

Matt


Thanks for the help
Robert

------------------------------------------------------------------------
Yahoo! Answers - Get better answers from someone who knows. Try it now
<http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA21haWwEc2xrA3RhZ2xpbmU>.


------------------------------------------------------------------------

-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php


------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc


      __________________________________________________________
Sent from Yahoo! Mail - a smarter inbox http://uk.mail.yahoo.com

-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Newly Released: Aanval Basic, M. Shirk
Next by Date:  Re: [Snort-users] Newly Released: Aanval Basic, Jason
Previous by Thread:  Re: [Snort-users] how rules work, Matt Jonkman
Next by Thread:  Re: [Snort-users] how rules work, Matt Jonkman
Indexes:  [Date] [Thread] [Top] [All Lists]