[Snort-users] Basic questions about snort

Swen Veckes s.veckes at ...1361...
Sun Apr 15 10:34:22 EDT 2001


Hi Jason.

I'm using snort with "Guardian.pl" on our firewall. Snort is logging to
a remote DB (MySQL) and guardian is making deny rules for the attacking
hosts. Also I use "girr.sh" to delete these rules (and also some false
positives) every 24 hours.
I'm using ACID on the DB to watch my alerts and also informations.
You can use "logsnorter", which reads syslog at realtime and puts the
alerts from CISCO-ACL violations and IPCHAONS to the same DB, so I can
watch them all together.
I mean, my cisco's and other servers including firewalls are logging to
one central server.
I will try to make some script, generating some report of blocked hosts,
current alerts and so on to notify me by mail or pager. And I will have
a look at "snorticus" scripts.
This setup works well for me.

Hope this helps.

Swen

On 14 Apr 2001 20:51:19 -0400, Jason Lewis wrote:
> First, if there is a FAQ that covers my questions could someone point me to
> it?  I haven't been able to find one.
> 
> Has anyone deployed snort in an enterprise class network?  If so, where did
> you go to help you get things working?  I am looking to roll snort out and I
> don't want to reinvent the wheel.  If there isn't one, I will document my
> experience.
> 
> Does snort get along with ipchains?  If I run snort on the same interface
> that I am running ipchains rules on, will it be able to detect attacks?  I
> guess the real question is, do the ipchains rules run before snort has a
> chance to see them?
> 
> Jason
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list