[Snort-users] New user question(s)
security at ...5028...
Wed Sep 22 06:21:05 EDT 2004
> I've setup snort, modified the snort.conf, have it running, but, reading the
> FAQ I've got a few questions.
> 1. What is the difference in running snortd vice snort w/cl parameters?
> 2. Reading the FAQ it states to start snort with snort -A full -c
> snort.conf then in the next line it states:
> Note that the default output mode (-A full) of snort should not be used
> in very controlled environments. It is the slowest way to run snort and
> presents several hard to recover from problems with inode creation on
> So, if this causes problems, how then should snort be started?
You should use unified or binary logging, unified output is preferred
these days since you can get everything you need by post processing the
files using barnyard. The documentation for barnyard is in the tarball
available at snort.org
> 3. I run no servers on my box. I've set it up in the belief that if would
> compliment my firewall. If my firewall is working sufficiently in my
> opinion, then do I even need to run an IDS?
Absolutely needed. Your firewall does not protect from application level
attacks and is subject to configuration issues, the IDS is a great
compliment to the firewall allowing you to audit what is really happening.
> I apologize in advance for the seemingly "dumb newbie questions"
More information about the Snort-users