[Snort-users] new snort user

james hackerwacker at ...3784...
Sat Nov 29 00:55:02 EST 2003


What OS & platform are you running this on ? I'll guess
*nix.

"ps -ax | grep snort" or just a "ps -ax" and look for it.
If you have a busy network, Snort will hang out at the
top of a "top" command. All of this depends on OS, so it would
help to know that. Start snort without the "-D" and see what happens,
it either will or will not load. Easy. It even tells you what did not
work.

As to starting command flags, it really depends on how
you want to log (full/some headers & binary), , and some other
behaviors. So it depends on what 
you want to do and how you like your data to be collected. Take
a look at what you are collecting now and see if you find it useful.
There is not "right" way, as long as it runs !

the "-l" is to set the dir for logging. "-b" means you are capturing
any packets that match your rules, in binary format. If that is what you
want, then I would just specify a path to the "-l" flag, like "-l
/var/log/snort/" and you are good to go.

You might find these flags useful:
snort -c snort.conf -l /var/log/snort/ -A full

"-A full" gives you a nice log called "alert" with just
the full headers, in ascii decode, ie txt format. The name of
the rule matched & packet headers for every rule match are written
to "alert"file. This format might be more useful to you, but if you want
binary capture too, just add the flags. Fire up snort and "tail -f
alert" to see what is going on.

What is on your network ? Servers, clients ? MS, Linux, or Plan9 ?
With this in mind, go to the end of your config and comment out
all the rules you do not need. Then you play the game of "do I live
with this many alerts or do a comment out rule X". You should read the
book "TCP/IP Illustrated" to better answer this question, it is a really
good read, even for a tech book. Is a real alert or a false positive
is a somewhat personal question, with respect to the network Snort is
listening to. Some alerts are bad in almost all situations but for many,
it depends on what you think is OK and your network. If you have mail,
web, or whatever servers, by all means define them in your conf. The
Internet is very noisy, so don't throw all your rules at your whole
address space. If you want to detect scans, you are good to go. 

Do keep in mind, with your Snort box you have now done most
of the hackers job, he just has to crack your box. As your box
hears everything it makes a great target. Read up on securing your OS.  














More information about the Snort-users mailing list