[Snort-users] stopping snort

Alberto Gonzalez albertg at ...7149...
Fri Dec 13 13:05:03 EST 2002


daemontools?

Bennett Todd wrote:

>2002-12-13-13:54:14 Don:
>  
>
>>Has anyone found a way to stop snort, automatically, [...]
>>    
>>
>
>That's very much a platform-specific question. On platforms on which
>I'd try and support snort, when it's installed the way I'd install
>it, I can always stop it with "/etc/init.d/snort stop".
>
>  
>
>>what i want to do is have snort stop, if it gets more than 'x'
>>alerts in a single hour, or some time frame, then of course email
>>me that it has stopped.
>>    
>>
>
>On the platorms where I'd support snort, I'd just use swatch with a
>rule to stop snort. No new engineering required. However, I wouldn't
>actually set this up; instead, I'd fix the underlying problem of
>looping errors.
>
>  
>
>>i do go to syslog with alerts. any suggestions. I have a
>>particular sensor that periodically starts alerting on something,
>>that just causes a round robin effect, and fills up the logs with
>>the same error over and over and over, it gets really boring
>>actually.
>>    
>>
>
>Sounds like the snort alert is re-triggering the alarm. You've got
>several choices.
>
>- don't ship the snort alerts off-system
>- don't ship them through an interface that snort is watching
>- fix the signature so it doesn't re-signal on its own alarm data
>- encapsulate the alarm data in something like SSL or SSH so snort
>  can't see the scary bits any more
>- write a BPF filter to blind snort to the traffic stream that's
>  carrying the alarms off-system
>- disable the alarm that's looping
>
>and maybe there are more alternatives.
>
>-Bennett
>  
>

-- 
The secret to success is to start from scratch and keep on scratching.






More information about the Snort-users mailing list