[Snort-users] new user, great product, but ...

Allen, Garrett Garrett.Allen at ...8966...
Tue Apr 22 13:42:17 EDT 2003

sorry.  red hat 8.0.  thanks for the tips.  2.0 shows as beta on the
snort.org web page and i try to avoid beta software.  might i enquire as to
the nature of the vulnerability?


-----Original Message-----
From: twig les [mailto:twigles at ...131...]
Sent: Tuesday, April 22, 2003 4:37 PM
To: Allen, Garrett; 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] new user, great product, but ...

You didn't mention your OS, but since you have a /var I can
safely suggest quotas to at least make sure /var doesn't hit
%100.  Once you get mysql up you can stop logging to the flat
text.  If you are wondering if there is a method of making a
signature fire once/100 alerts or something like that then I
don't think that exists.

BTW, 1.9.1 has a vulnerability so as long as you're doing a
fresh install you might as well use 2.0.

--- "Allen, Garrett" <Garrett.Allen at ...8966...> wrote:
> heys,
> installed version 1.9.1 (build 231) of the pink beastie.  very
> interesting
> results captured from our network.  pointed to a potential
> issue with xp
> configs.  i'm generating log files, haven't quite got the
> mastery of mysql
> installation yet.  anyways, here's the question:
> the very day i started using snort for real was the day one of
> our wandering
> sales minstrals returns with an ms-sql worm.  it momentarily
> shut down our
> net when he fired up his machine, then went for coffee,
> flooding the network
> with traffic as a worm is want to do.  we were able to quickly
> detect where
> the problem originated from and shut the machine down.  but in
> the meantime
> snort generated enough log files to fill /var.  ouch.  any way
> to slow down
> the volume of log entries?  any other operational tips?
> thanks in advance.
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Know yourself and know your enemy and you will never fear defeat.         

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo

More information about the Snort-users mailing list