FW: [Snort-users] Policy-Based monitoring

Kaplan, Andrew H. AHKAPLAN at ...10063...
Thu Oct 14 14:00:08 EDT 2004


-----Original Message-----
From: Kaplan, Andrew H. 
Sent: Thursday, October 14, 2004 1:17 PM
To: 'Schott, Erik J Mr ANOSC/FCBS'
Cc: Snort User Group (E-mail)
Subject: RE: [Snort-users] Policy-Based monitoring


Hi Erik --

I did a check of the README.alert_order file but I am not sure as to how I can
change the rule application order 
from it current setting of: 
					activation->dynamic->alert->pass->log 
to the one I prefer which is: 
					activation->dynamic->pass->alert->log

Correct me if I'm wrong, but if I'm using a policy-based.rules file shouldn't
the pass items be handled first, and
then if the packet does not match any of the pass items it should then fall
under the alert category? 

-----Original Message-----
From: Schott, Erik J Mr ANOSC/FCBS
[mailto:erik.schott-FCBS at ...12562...]
Sent: Wednesday, October 13, 2004 7:28 PM
To: Kaplan, Andrew H.
Subject: RE: [Snort-users] Policy-Based monitoring


Hi Andrew.  Where you put the rule in your snort.conf determines which rule
snort selects when it receives a matching packet.  The
snort-2.2.0/doc/README.alert_order file is where you want to look.  It
explains the rule selection algorithm fairly well.

HTH.

Erik

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Kaplan,
Andrew H.
Sent: Wednesday, October 13, 2004 5:47 AM
To: Snort User Group (E-mail)
Subject: [Snort-users] Policy-Based monitoring


Hi there --

I got Snort to operate successfully and alerts are appearing on the ACID
console. My next step is to refine the monitoring, and to that end the
approach
that I was planning on taking was using a policy-based.rules file. I will be
modifying the snort.conf file to include the line: include
$RULE_PATH/policy-based.rules.

The questions I have are, does the position of the new line matter? Should I
put
the new line at the beginning of the include statements or after them? Also,
besides
adding the line is there anything else that I need to do to Snort, or is
simply
adding the above line sufficient? Thanks.


-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list