Snort mailing list archives
Re: how rules work
From: Matt Jonkman <jonkman () jonkmans com>
Date: Tue, 11 Dec 2007 13:06:48 -0500
Robert Fowler wrote:
Basically can I disable all rules and add them one by one ? and what file determines what rules to use ?
Best bet is to start by disabling/enabling the major categories that you might need. Also look at bleedingthreats.net for a complementary ruleset to the stock sets. Then look at what hits you get and make sure your sensor can handle the load. Then start en/disabling individual rules that are of interest to you. You can en/disable categories of rules in your snort.conf. Individual rules in the individual ruleset file most likely in your rules/ dir.
Will SNORT act as an IPS and kill my network or just it just monitor traffic ?
It can do both. Stock it'll be just monitoring. To block you have to get more complex. Go inline, use flexresponse, or something like snortsam (snortsam.net).
Also on a seperate note do I need the network interface to operate in pernicios mode and does this need a specific switch when starting snort.
It'll do that on it's own, but ya generally so. Matt
Thanks for the help Robert ------------------------------------------------------------------------ Yahoo! Answers - Get better answers from someone who knows. Try it now <http://uk.answers.yahoo.com/;_ylc=X3oDMTEydmViNG02BF9TAzIxMTQ3MTcxOTAEc2VjA21haWwEc2xrA3RhZ2xpbmU>. ------------------------------------------------------------------------ ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- -------------------------------------------- Matthew Jonkman Emerging Threats US Phone 765-429-0398 US Fax 312-264-0205 AUS Phone 61-42-4157-491 AUS Fax 61-29-4750-026 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how rules work Robert Fowler (Dec 11)
- Re: how rules work Matt Jonkman (Dec 11)
- <Possible follow-ups>
- Re: how rules work Robert Fowler (Dec 11)
- Re: how rules work Matt Jonkman (Dec 11)
- Unable to disable X-link2state alerts. Bachelor, Stephen A CTR USSOCOM HQ (Dec 11)
- Re: Unable to disable X-link2state alerts. Todd Wease (Dec 11)
- Re: Unable to disable X-link2state alerts. M. Shirk (Dec 11)
- Re: how rules work Matt Jonkman (Dec 11)