[Snort-users] Newbie - how to extract any info from snort -ve d?

Erik Engberg Erik.Engberg at ...511...
Mon Sep 25 15:12:36 EDT 2000

When you are at it, implement a "tripwiring" system that´d alert on any
changes to your static important files. Tripwire for instance ;). There are
other systems GPL´d as well.

-----Original Message-----
From: Andreas Maus [mailto:andreas_maus at ...375...]
Sent: den 20 september 2000 17:40
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Newbie - how to extract any info from snort

Martin Roesch wrote:
> Ok, you defintely don't want to run "snort -ved" to detect intrusion.  To
> yourself up in an intrusion detection mode, do these steps:
> 1) Edit the snort-lib file.  Locate the line that starts with "var
> and set the IP address to that of your host/network.  Be aware that /24 is
> class C subnet indicator and /32 is a single host indicator, so if you're
> trying to watch your own host for intrusion and its IP address is
> you should set the variable to  If you're trying to watch
> your entire class C network, you should specify
> 2) Set up a logging directory.  You don't need to do this explicitly
> Snort will log to /var/log/snort if not assigned a log directory.  If you
> don't want to use /var/log/snort, you need to create a directory where
> can send alerts and log output.
> 3) Run Snort.  Here's a good command line:
> snort -d -c snort-lib -A fast
> This will run the snort-lib rules file and send alerts and packet logs to
> /var/log/snort, as well as alerting to a file called "alert" in the
> directory.
> FYI, Snort *will* fill up your entire hard drive if you let it.  It needs
> be tuned so that it will only record significant events such as intrusion
> attempts.  Using the rules system is one way to achieve this.

Make a script that checks if these files has been changed and notify you
if this happens (playing a sound, send a message to your pager,...what
you want...). And put this script in the crontab file.


|           email: andreas_maus at ...375...   |
|       http://www.bigfoot.com/~andreas_maus/ |
Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list