[Snort-users] OK it's time to update the FAQ...

Joe McAlerney joey at ...155...
Thu Nov 16 18:57:03 EST 2000


Dragos Ruiu wrote:

> Does anyone have any immediate candidates that jump to mind? 

1) The different ways to handle multiple subnets, including pros and
cons of each.  This is always in the discussion forum, and probably
twice a month in here.  I was going to take a stab at it and still will
if you want some input.

2) How to ignore traffic - basically pass rules and
portscan-ignorehosts.

3) Q. Why does the portscan plugin log "stealth" packets even though the
host is in portscan-ignorehosts?
   A. because that's the way it was made. :-) No, because these types of
tcp packets are inherently suspicious, no matter where they are coming
from.  Although, there has been talk of ignoring these packets too.  I'm
not sure where that stands.

4) I'm getting large amounts of <insert high false positive rule here>'s
what should I do?  Where can I go to find out more about it?

5) I can't find where Snort is logging to? (I think this one deserves a
thorough analysis of each way Snort logs, and the default logging
location and file name of each.)

6) Where's a good place to physically put a Snort sensor?  (Eh, this may
to general of a question, but it's asked quite a bit I think).

7) I'm on a switched network, can I still use Snort?

I'm sure I'll think of some more right as I hit "send".  Some of these
may be a matter of opinion, so it may not hurt to get input from
different sources.  Again, I would be happy to help out.  Let me know.

-Joe M.

-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+



More information about the Snort-users mailing list