Snort mailing list archives

Re: Snort Query for IDS centre.

From: Erek Adams <erek () snort org>
Date: Fri, 29 Aug 2003 14:08:42 -0400 (EDT)

On Thu, 28 Aug 2003, sanjeevs wrote:

I have installed snort 2.0 on windows 2000 professional using IDS Centre 1.1
RC4. I am also getting Alerts as wellas E-mails for the alerts that are
logged. I am also able to download the
rulesets also.
  a.. Now my problem how will i come to know that rules are getting
downloaded and updated on my sensor? is there any check i should do in order
to confirm that ? ( i mean to say do i need to check the date of some files
in order to confirm that)
  b.. LAN IP's used inside my Network are 10.1.54.0/24 , 10.1.55.0/24 and
10.1.56.0/24. if i have to monitor all the 3 Networks using just 1 Sensor?
how it is possible.
          I have configure HOME_NET as
10.1.56.0/24,10.1.55.0/24,10.1.54.0/24 is this the correct format to be
used.
  a.. Can we create our own new rules in order to block or permit traffic as
per our needs.
  b.. I am planning to place the sensor behind the firewall and the various
ports that are kept OPEN in my firewall are as follows: 80, 25, HTTPS and
22.So could you Please guide me as to what should be the syntax of the rule
to be written if i have to monitor traffic coming from following mentioned
above ports PLUS snort should also LOG alerts via E-mail PLUS it should LOG
the data in SQL database also.
Waiting for your reply.


You know, you could _really_ do yourself a favor and read the docs.  Even
just a tiny little bit.

Start here [0].  Then, move on to the FAQ [1].  In those docuemnts, you'll
find everything you just asked answered.

Multiple nets in HOME_NET--FAQ 3.4
Create rules--Entire Chapter 2 of the Manual.
IDS Placement--FAQ 2.5
Update rules--Do it by hand, you'll always know.
Multiple Outputs for Rules--Snort.conf file

Oh, and 6 penalty drinks [2].

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]     http://www.snort.org/docs/writing_rules/
[1]     http://www.snort.org/docs/FAQ.txt
[2]     http://www.theadamsfamily.net/~erek/snort/drinking_game.txt


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

link between MP3 sites and Cyberkit pings ? Jean Michel BARBET (Aug 22)
- Re: link between MP3 sites and Cyberkit pings ? Erek Adams (Aug 22)
- Snort Query for IDS centre. sanjeevs (Aug 29)
  - Re: Snort Query for IDS centre. Erek Adams (Aug 29)
- <Possible follow-ups>
- RE: link between MP3 sites and Cyberkit pings ? Williams Jon (Aug 22)