Snort mailing list archives
RE: New user question(s)
From: "Harper, Patrick" <patrick.harper () phns com>
Date: Wed, 22 Sep 2004 13:25:01 -0500
When you say snortd are you talking about the init script? -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Wednesday, September 22, 2004 10:53 AM To: Chris; 'Snort Users' Subject: Re: [Snort-users] New user question(s) At 09:29 PM 9/21/2004, Chris wrote:
1. What is the difference in running snortd vice snort w/cl
parameters? This I don't know.. I've never heard of snortd before.
2. Reading the FAQ it states to start snort with snort -A full -c snort.conf then in the next line it states: Note that the default output mode (-A full) of snort should not be used
except in very controlled environments. It is the slowest way to run snort and presents several hard to recover from problems with inode creation on filesystems. So, if this causes problems, how then should snort be started?
snort -A full -c snort.conf is a good starting point, but the manual is correct that you probably don't want to use this for long-term production. Eventually you'll want to shift to somethign faster. I use the equivalent of snort -A fast -b, but much of mine is specfied in snort.conf. In production, most people use SQL logging, to feed something like ACID or BASE, or barnyard.. Some, like me, still use text logs, but log packet captures as binary pcap to maintain speed.
3. I run no servers on my box. I've set it up in the belief that if
would
compliment my firewall. If my firewall is working sufficiently in my opinion, then do I even need to run an IDS?
Does your firewall process the application layer, in detail, for attack patterns? Will your firewall recognize packets containing backdoor "phone home" patterns? On outbound traffic? Firewalls are *great* tools. However, they don't serve the same functions as an IDS. An IDS helps you see anomalies in your traffic. It examines packets in-depth to find suspect patterns in the actual packet payload, not just the headers. The only firewall product I know of that comes close to an IDS is a netscreen with the deep-inspection feature. But even this is quite limited by comparison to a true IDS. ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New user question(s) Chris (Sep 22)
- Re: New user question(s) Jason (Sep 22)
- Re: New user question(s) Matt Kettler (Sep 22)
- <Possible follow-ups>
- RE: New user question(s) Harper, Patrick (Sep 22)
- Re: New user question(s) Chris (Sep 22)
- RE: New user question(s) Harper, Patrick (Sep 22)