Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Too many questions

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 20 Nov 2002 18:33:43 -0500
Many of these questions are answered in the FAQ, and a lot of my answers reference it 
http://www.snort.org/docs/faq.html

Read the FAQ next time.. it is your friend.

At 11:17 PM 11/20/2002 +0330, Alireza Naderi wrote:

Hi All

I have too many questions about snort and its configuration
If any one know the answers, kindly explian it or tell me how can
i find the answers (documents and etc)

1.how can i tell to snort that classification the alerts
to for example critical and normal ,...?
Snort by default has several classifications, see the classification.config file. 



2.how can i tell to it that will mailing the critical alerts?
Snort doesn't actually mail you anything. You'll have to set up whatever log processing you want to only mail you parts of your snort logs. See snort FAQ 5.7. 




3.what is sensor_name in configuration files and which work
is that doing?
That's for use with the database logging feature. This helps you log multiple sensors to one database. If you're not logging to a database, ignore it. 



4.what is TAC_Pipe_1 that i read in snort documents (freebsd)
had written that "sensor_name=TAC_Pipe_1"?
That's just a fictitious example name, representing a possible name someone might have for one of their snort sensors (this one would be placed in their TAC and would be on "Pipe 1" presumably the first of several internet connections coming into the facility. You might also name it something like Wiring_Closet_Internet. Again, if you're not logging to a database, ignore it. 


5.how can i configure it that will not making alerts if the
192.168.12.3 attempt to snmp and make alerts if that ip attempt
to other types of attack?
Use a pass rule in your snort config, or use a BPF on the command line. See FAQ 3.7 




6.how can i tell to snort that block the source address of icmp
attack or other kinds of attack?
Snort itself doesn't do that. it is an IDS not a firewall. It can however be made to reconfigure your firewall. For example if you set up snort on a linux box which is acting as a firewall you can use Hogwash to achieve this. See Snort FAQ 5.5 




7.is it possible that it execute a command on the remote machine
for example change the password if detect a specific attack?
That's not something snort can do directly, and remotely changing passwords automaticaly seems HIGHLY insecure to do at all. External application execution should be done by logging to syslog and using swatch or logwatch. See snort FAQ 5.9 




8.how can i tell to snort that listen on two nic (eth0, eth1)?
Run 2 copies of snort, or use the any option if you are running on a linux box. See snort FAQ 3.4. 




Thanks in advance
Alireza








-------------------------------------------------------
This sf.net email is sponsored by:
Battle your brains against the best in the Thawte Crypto
Challenge. Be the first to crack the code - register now:
http://www.gothawte.com/rd521.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Note: Emails authored under this address do not reflect the opinions of my employer unless otherwise stated. Facts contained are also prone to human error. If either of these statements are not humanly obvious to you, I suggest careful thought before leaping to any other conclusions. 



-------------------------------------------------------
This SF.net email is sponsored by: The Sourceforge Network Survey
Take Our Survey and You Could Win a $500 Gift Certificate!
http://ugamsolutions.com/psurvey/osdn/SourceForge/index_sourceforge.htm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: