[Snort-users] Newbie - how to extract any info from snort -ve d?

Erik Engberg Erik.Engberg at ...511...
Mon Sep 25 15:12:36 EDT 2000


When you are at it, implement a "tripwiring" system that´d alert on any
changes to your static important files. Tripwire for instance ;). There are
other systems GPL´d as well.


-----Original Message-----
From: Andreas Maus [mailto:andreas_maus at ...375...]
Sent: den 20 september 2000 17:40
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Newbie - how to extract any info from snort
-ved?


Martin Roesch wrote:
> 
> Ok, you defintely don't want to run "snort -ved" to detect intrusion.  To
set
> yourself up in an intrusion detection mode, do these steps:
> 
> 1) Edit the snort-lib file.  Locate the line that starts with "var
HOME_NET"
> and set the IP address to that of your host/network.  Be aware that /24 is
a
> class C subnet indicator and /32 is a single host indicator, so if you're
just
> trying to watch your own host for intrusion and its IP address is
192.168.1.55
> you should set the variable to 192.168.1.55/32.  If you're trying to watch
> your entire class C network, you should specify 192.168.1.0/24.
> 
> 2) Set up a logging directory.  You don't need to do this explicitly
because
> Snort will log to /var/log/snort if not assigned a log directory.  If you
> don't want to use /var/log/snort, you need to create a directory where
Snort
> can send alerts and log output.
> 
> 3) Run Snort.  Here's a good command line:
> 
> snort -d -c snort-lib -A fast
> 
> This will run the snort-lib rules file and send alerts and packet logs to
> /var/log/snort, as well as alerting to a file called "alert" in the
logging
> directory.
> 
> FYI, Snort *will* fill up your entire hard drive if you let it.  It needs
to
> be tuned so that it will only record significant events such as intrusion
> attempts.  Using the rules system is one way to achieve this.
> 
...yepp!...Plus:

Make a script that checks if these files has been changed and notify you
if this happens (playing a sound, send a message to your pager,...what
ever
you want...). And put this script in the crontab file.

Andreas

-- 
@---------------------------------------------@
|           email: andreas_maus at ...375...   |
|       http://www.bigfoot.com/~andreas_maus/ |
@---------------------------------------------@
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list