Network Security: Detailed info on Re: [Snort-users] how rules work

Subject:	Re: [Snort-users] how rules work
Date:	Tue, 11 Dec 2007 13:31:09 -0500


Robert Fowler wrote:

If I have configured the network card with an IP address do I need to
remove this before starting Snort so it listens in pernicios mode.  I am
using ubuntu do i need to do anything specific other that remove IP
address ???


If you don't NEED an IP on the sensing interface it's better off not
having one.

 
On the rules I will edit each rules one by one stupit question as I am
not currently  looking at a rule what comment is required to enable /
disable


Comment them out, start the line with a #.

Finally if all rules log to mysql what do I need to do to see traffic
that activates a rule


The payloads will be included with most rules inside mysql/base. If you
want to see entire streams look at sguil. It's a good deal more complex
to setup and use, but will give you much greater data in return.

I'd stay with base for a bit till you get an idea of what you're doing,
then check out sguil when you have your current install so screwed up
from testing that you have to rebuild. :)

Matt

Thanks again
Robert
 
 


 
----- Original Message ----
From: Matt Jonkman <jonkman@jonkmans.com>
To: Robert Fowler <robshomemail@yahoo.com>
Cc: snort-users@lists.sourceforge.net
Sent: Tuesday, 11 December, 2007 6:06:48 PM
Subject: Re: [Snort-users] how rules work


Robert Fowler wrote:

Basically can I disable all rules and add them one by one ? and what
file determines what rules to use ?


Best bet is to start by disabling/enabling the major categories that you
might need. Also look at bleedingthreats.net for a complementary ruleset
to the stock sets.

Then look at what hits you get and make sure your sensor can handle the
load. Then start en/disabling individual rules that are of interest to you.

You can en/disable categories of rules in your snort.conf. Individual
rules in the individual ruleset file most likely in your rules/ dir.

Will SNORT act as an IPS and kill my network or just it just monitor
traffic ?


It can do both. Stock it'll be just monitoring. To block you have to get
more complex. Go inline, use flexresponse, or something like snortsam
(snortsam.net).


Also on a seperate note do I need the network interface to operate in
pernicios mode and does this need a specific switch when starting snort.


It'll do that on it's own, but ya generally so.

Matt

Thanks for the help
Robert

------------------------------------------------------------------------
Yahoo! Answers - Get better answers from someone who knows. Try it now

<http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA21haWwEc2xrA3RhZ2xpbmU>.



------------------------------------------------------------------------

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php


------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net

<mailto:Snort-users@lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.emergingthreats.net <http://www.emergingthreats.net/>
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




------------------------------------------------------------------------
Support the World Aids Awareness campaign this month with Yahoo! for
Good
<http://us.rd.yahoo.com/mailuk/taglines/isp/control/*http://us.rd.yahoo.com/evt=51947/*http://uk.promotions.yahoo.com/forgood/>


-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------------------------------------------------------------------
SF.Net email is sponsored by: 
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] how rules work, Robert Fowler Re: [Snort-users] how rules work, Matt Jonkman Re: [Snort-users] how rules work, Robert Fowler Re: [Snort-users] how rules work, Matt Jonkman <= [Snort-users] Unable to disable X-link2state alerts., Bachelor, Stephen A CTR USSOCOM HQ Re: [Snort-users] Unable to disable X-link2state alerts., Todd Wease Re: [Snort-users] Unable to disable X-link2state alerts., M. Shirk

Previous by Date:	Re: [Snort-users] Newly Released: Aanval Basic, Jason
Next by Date:	[Snort-users] Unable to disable X-link2state alerts., Bachelor, Stephen A CTR USSOCOM HQ
Previous by Thread:	Re: [Snort-users] how rules work, Robert Fowler
Next by Thread:	[Snort-users] Unable to disable X-link2state alerts., Bachelor, Stephen A CTR USSOCOM HQ
Indexes:	[Date] [Thread] [Top] [All Lists]