[Snort-users] Newbie - how to extract any info from snort -ved?

Andreas Maus andreas_maus at ...375...
Wed Sep 20 11:40:14 EDT 2000


Martin Roesch wrote:
> 
> Ok, you defintely don't want to run "snort -ved" to detect intrusion.  To set
> yourself up in an intrusion detection mode, do these steps:
> 
> 1) Edit the snort-lib file.  Locate the line that starts with "var HOME_NET"
> and set the IP address to that of your host/network.  Be aware that /24 is a
> class C subnet indicator and /32 is a single host indicator, so if you're just
> trying to watch your own host for intrusion and its IP address is 192.168.1.55
> you should set the variable to 192.168.1.55/32.  If you're trying to watch
> your entire class C network, you should specify 192.168.1.0/24.
> 
> 2) Set up a logging directory.  You don't need to do this explicitly because
> Snort will log to /var/log/snort if not assigned a log directory.  If you
> don't want to use /var/log/snort, you need to create a directory where Snort
> can send alerts and log output.
> 
> 3) Run Snort.  Here's a good command line:
> 
> snort -d -c snort-lib -A fast
> 
> This will run the snort-lib rules file and send alerts and packet logs to
> /var/log/snort, as well as alerting to a file called "alert" in the logging
> directory.
> 
> FYI, Snort *will* fill up your entire hard drive if you let it.  It needs to
> be tuned so that it will only record significant events such as intrusion
> attempts.  Using the rules system is one way to achieve this.
> 
...yepp!...Plus:

Make a script that checks if these files has been changed and notify you
if this happens (playing a sound, send a message to your pager,...what
ever
you want...). And put this script in the crontab file.

Andreas

-- 
@---------------------------------------------@
|           email: andreas_maus at ...375...   |
|       http://www.bigfoot.com/~andreas_maus/ |
@---------------------------------------------@



More information about the Snort-users mailing list