[Snort-users] Any Interest?

John Sage jsage at ...2022...
Thu Jan 17 06:31:03 EST 2002

Speaking for myself and possibly others, it would be *greatly* 
appreciated if you did *not* post in html format.

I have a feeling that a significant number of people wouldn't even 
accept an html-formatted email: those email clients that render *all* 
the html tags, for example, completely overwhelm the actual text of your 
message because the tags are really just text, too.

I would be willing to bet that some procmail filters just send this sort 
of thing to /dev/null...

...just a thought.

- John

The web page you seek
cannot be found here:
countless others await

Brian Bartlett wrote:

> Let me try again,    J
> I'm new to this list as of last week so this question may be redundant. 
> At the risk of starting an OS/NOS religious war I have been playing with 
> the WIN32 port of snort since September. I started with just the simple 
> command line version and have slowly added more of the wiz bang 
> enhancements as I went.  I am presently running 3 sensors. One is just 
> the basic command line version alerting through IDSCenter on my 
> broadband connection at home. The others are the win32 MYSQL compile on 
> windows 2000 on my laptop and a test server at work. I have installed 
> and configured ACID on  IIS 5.0 and the win32 release of Apache. I am 
> using textPad, IDSCenter and IDS Policy Manager (ActiveWorx) as 
> configuration tools. Through the months of testing I have kept the 
> original alert.ids file current with all the data gathered by the 
> sensors. Obviously this is not the ideal place to keep this info. Which 
> leads me to my questions.
>                         1.      Is there a tool or command line to parse
>                         this info into my MYSQL database (I'm not a SQL
>                         guru but have dabbled and am not afraid of SQL
>                         scripts :-) )?
>                         2.      This one is more general but once I have
>                         all this info into the db I can at least look at
>                         it with ACID and start to see trends. What are
>                         the "Best Practices" for tuning my rules based
>                         on my data to reduce false positives and then
>                         modify alerting to include email and/or pager
>                         support?
>                         3.      I am using NmapNT and Netcat for NT to
>                         scan and probe my sensors to produce alerts. Any
>                         other neat tools I should be using to tune the
>                         rules?
>                         4.      My home network and laptop have a
>                         software firewall installed on them (Tiny
>                         Personal Firewall). Will this affect the sensors
>                         installed on these PCs? If I understand the
>                         WinPcap docs this driver lies beneath the IP
>                         stack and should see the packets before the
>                         firewall does, correct?
> Thanks in advance for any help.
> Brian D. Bartlett

More information about the Snort-users mailing list