Snort mailing list archives
Re: What makes a complete IDS package?
From: Martin Holste <mcholste () gmail com>
Date: Mon, 21 Mar 2011 11:28:01 -0500
You're already set with PulledPork for rule management. Don't forget to do your tuning through disable_sids.conf. I have Snort/Suricata log to syslog and deal with alerts from my custom SIEM, but if I didn't, I'd be using something like Snorby for my web front-end. I then use StreamDB (code.google.com/p/streamdb/) to handle investigating alerts as it will immediately spit out the URL and fully decoded page content from the alert connection you give it, and it will integrate with Snorby in place of OpenFPC. This saves a lot of time over SGUIL or daemonlogger on a busy connection. However, I'd still recommend that you run daemonlogger or SANCP alongside in that rare case you want to inspect low-level packet data. On Sat, Mar 19, 2011 at 9:09 AM, Joel Esler <jesler () sourcefire com> wrote:
I don't. No. I have those set to block in the IPS. On Mar 19, 2011, at 9:58 AM, James Lay wrote: I review my events on the command line. I don't use a DB or whatever. I've tuned the hell out of my Snort installation, so that when it alerts, I need to deal with something. Joel Joel, So….do you nuke out the "possible" rules? Or the "likely hostile" rules? I spend a fair amount of time tracking down obfuscated javascript and javascript in pdf type alerts…most are non-malicious, but some turn out to be bad…curious on just how much you've tuned my friend ;) James ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net Twitter: @snort ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What makes a complete IDS package? James Lay (Mar 18)
- Re: What makes a complete IDS package? Jefferson, Shawn (Mar 18)
- Re: What makes a complete IDS package? Joel Esler (Mar 18)
- Re: What makes a complete IDS package? James Lay (Mar 19)
- Re: What makes a complete IDS package? Joel Esler (Mar 19)
- Re: What makes a complete IDS package? Martin Holste (Mar 21)
- Re: What makes a complete IDS package? Joel Esler (Mar 21)
- Re: What makes a complete IDS package? Jefferson, Shawn (Mar 21)
- Re: What makes a complete IDS package? Joel Esler (Mar 21)
- Re: What makes a complete IDS package? James Lay (Mar 19)