Re: Beginner snort user questions

From: g00se (emogus@adelphia.net)
Date: 08/10/02 

From: "g00se" <emogus@adelphia.net>
Date: Sat, 10 Aug 2002 17:55:29 GMT

portsentry would probably work better for you...

"Bryan" <bryan@akanta.com> wrote in message
news:3D53FEDF.80009@akanta.com...
> Hi there,
>
> I am setting up snort-1.8.7 for the first time on a Redhat 7.2 machine...
>
> I would like to run it in the background in obfuscated ip mode, using
> the current rules from the site. It's a bit bizzare though... if I
> just run ./snort, it logs to /var/log/snort (which is fine) and only
> records scans of sensitive ports... I think. I tested it out by running
> ess against the machine I set snort on, and sure enough it seems to
> track the scans.
>
> Does the default ./snort use the snort.conf files though? I tried
> ./snort -dev -O -c snort.conf, but then it logs a -ton- of packets... if
> I just let this thing run for weeks, it will fill up my hard drive with
> snort logs.
>
> What is the most common configuration of snort that will only log the
> correct packets (meaning attempts to find vulnerabilities), not fill up
> my logs and yet provide the best information to track someone trying to
> scan me?
>
> The machine Im installing this on is a standalone webserver colocated
> with our ISP. All non-essential services are shut down, but I am
> concerned becuase this machine has been hacked before. When that
> happened, I took it down and reinstalled everything from scratch, and
> now want to put some intrustion detection software on so I can tell when
> someone is portscanning me looking for vulnerabilities.
>
> Thanks!
> Bryan
>

Relevant Pages

  • Beginner snort user questions
    ... It's a bit bizzare though... ... it logs to /var/log/snort and only ... ess against the machine I set snort on, and sure enough it seems to ... someone is portscanning me looking for vulnerabilities. ...
    (comp.os.linux.security)
  • Re: Audit Account Logon Events, Client IP address incorrect?
    ... Find Account Logon or Logon events in event log ... Find messages of the relevant types in Snort log ... Herb Martin> ... Now I at least have an explanation for the "powers that be">> when they look at the logs. ...
    (microsoft.public.win2000.active_directory)
  • Snort : Cert Advisory
    ... CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors ... each in a separate preprocessor module. ... exploitable heap overflow in the Snort "stream4" preprocessor module. ...
    (comp.os.linux.security)
  • Re: Unicode Attack
    ... Your Snort logs will include everything "odd" (as defined by the ... > web server); however, I cannot rule out the possibility of the host ... That server should not be vulnerable to the Unicode URL encoding ...
    (Incidents)
  • Re: [fw-wiz] PIX Logging Analysis
    ... I use ipaudit-web http://ipaudit.sourceforge.net/ipaudit-web/ ... Snort is good but you will get alot of false alarms that if given to ... your customer will cause panic. ... msyslog has worked really well to examine the logs through a php web ...
    (Firewall-Wizards)
Quantcast