[Snort-users] stopping snort
bet at ...6163...
Fri Dec 13 12:52:03 EST 2002
> Has anyone found a way to stop snort, automatically, [...]
That's very much a platform-specific question. On platforms on which
I'd try and support snort, when it's installed the way I'd install
it, I can always stop it with "/etc/init.d/snort stop".
> what i want to do is have snort stop, if it gets more than 'x'
> alerts in a single hour, or some time frame, then of course email
> me that it has stopped.
On the platorms where I'd support snort, I'd just use swatch with a
rule to stop snort. No new engineering required. However, I wouldn't
actually set this up; instead, I'd fix the underlying problem of
> i do go to syslog with alerts. any suggestions. I have a
> particular sensor that periodically starts alerting on something,
> that just causes a round robin effect, and fills up the logs with
> the same error over and over and over, it gets really boring
Sounds like the snort alert is re-triggering the alarm. You've got
- don't ship the snort alerts off-system
- don't ship them through an interface that snort is watching
- fix the signature so it doesn't re-signal on its own alarm data
- encapsulate the alarm data in something like SSL or SSH so snort
can't see the scary bits any more
- write a BPF filter to blind snort to the traffic stream that's
carrying the alarms off-system
- disable the alarm that's looping
and maybe there are more alternatives.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-users