[Snort-users] New to snort

Guillaume guillaume at ...4029...
Fri Nov 9 08:46:02 EST 2001


En réponse à Philip Clark <pclark at ...4046...>:

> Hello All,
> 
> I am a new user to snort and I have 2 quick questions...
> 
> 1.) Is there a way to make your alerts point to which rule set invoked
> them?

What do you mean ? 
There is a comment associated with all signatures usually, it should be enough
to knwo what kind of event generated the alert. You could add some unique ID of
your own, but do not forget : there are about +1,000 snort rules now ! :-)

> 2.) Is there a way to make Snort actually stop suspected traffic as
> opposed to only alerting?

Using flexresp will allow you to trigger some actions. But i'm not sure it
always is a good idea...
 

Guillaume.

-------------------------------------------------------------------------------




More information about the Snort-users mailing list