Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stopping snort

From: Alberto Gonzalez <albertg () cerebro violating us>
Date: Fri, 13 Dec 2002 16:06:36 -0800
daemontools?

Bennett Todd wrote:


2002-12-13-13:54:14 Don:

Has anyone found a way to stop snort, automatically, [...]


That's very much a platform-specific question. On platforms on which
I'd try and support snort, when it's installed the way I'd install
it, I can always stop it with "/etc/init.d/snort stop".


what i want to do is have snort stop, if it gets more than 'x'
alerts in a single hour, or some time frame, then of course email
me that it has stopped.


On the platorms where I'd support snort, I'd just use swatch with a
rule to stop snort. No new engineering required. However, I wouldn't
actually set this up; instead, I'd fix the underlying problem of
looping errors.


i do go to syslog with alerts. any suggestions. I have a
particular sensor that periodically starts alerting on something,
that just causes a round robin effect, and fills up the logs with
the same error over and over and over, it gets really boring
actually.


Sounds like the snort alert is re-triggering the alarm. You've got
several choices.

- don't ship the snort alerts off-system
- don't ship them through an interface that snort is watching
- fix the signature so it doesn't re-signal on its own alarm data
- encapsulate the alarm data in something like SSL or SSH so snort
 can't see the scary bits any more
- write a BPF filter to blind snort to the traffic stream that's
 carrying the alarms off-system
- disable the alarm that's looping

and maybe there are more alternatives.

-Bennett


--
The secret to success is to start from scratch and keep on scratching.




-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel 
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: