Snort mailing list archives
Any Interest?
From: Brian Bartlett <bbartlett () commtel net>
Date: Thu, 17 Jan 2002 07:34:19 -0500
Let me try again, :-)
I'm new to this list as of last week so this question may be redundant. At
the risk of starting an OS/NOS religious war I have been playing with the
WIN32 port of snort since September. I started with just the simple command
line version and have slowly added more of the wiz bang enhancements as I
went. I am presently running 3 sensors. One is just the basic command line
version alerting through IDSCenter on my broadband connection at home. The
others are the win32 MYSQL compile on windows 2000 on my laptop and a test
server at work. I have installed and configured ACID on IIS 5.0 and the
win32 release of Apache. I am using textPad, IDSCenter and IDS Policy
Manager (ActiveWorx) as configuration tools. Through the months of testing I
have kept the original alert.ids file current with all the data gathered by
the sensors. Obviously this is not the ideal place to keep this info. Which
leads me to my questions.
1. Is there a tool or command line to
parse this info into my MYSQL database (I'm not a SQL guru but have dabbled
and am not afraid of SQL scripts :-) )?
2. This one is more general but once I
have all this info into the db I can at least look at it with ACID and start
to see trends. What are the "Best Practices" for tuning my rules based on my
data to reduce false positives and then modify alerting to include email
and/or pager support?
3. I am using NmapNT and Netcat for NT
to scan and probe my sensors to produce alerts. Any other neat tools I
should be using to tune the rules?
4. My home network and laptop have a
software firewall installed on them (Tiny Personal Firewall). Will this
affect the sensors installed on these PCs? If I understand the WinPcap docs
this driver lies beneath the IP stack and should see the packets before the
firewall does, correct?
Thanks in advance for any help.
Brian D. Bartlett
Current thread:
- Any Interest? Brian Bartlett (Jan 17)
- Re: Any Interest? skadhi (Jan 17)
- Re: Any Interest? tony (Jan 17)
- Re: Any Interest? John Sage (Jan 17)