[Snort-users] Help newb understand how Snort is supposed to run.

John C. Silvia john at ...13282...
Thu Aug 25 08:30:30 EDT 2005

Chris W. Parker wrote:

>My intent is to get a better idea of what kind of traffic is traversing
>my network. I don't know what kind of attacks I'm on the look out for
>but I was hoping Snort would let me know (using the rule files). Of
>course I expect to learn more as I go along.
Chris, another tool you should take a look at is called ntop.  When run, 
ntop sniff's the network and categorizes the traffic by type, source, 
destination, protocol, Etc.  It's not an IDS, but it provides a nice 
web-based interface for seeing what's going on through traffic summaries.

Another neat tool for seeing what's going on in a network is a live view 
tool called etherape, which draws the traffic as lines connecting IP's, 
thickness in bandwidth, protocol in color.

Both of these tools are excellent for seeing, at the most basic level, 
what is going on.  They'll also tell you what kind of attacks you should 
be looking for as well.

Once you have an idea what's going on, Snort can then look "under the 
hood" for you - but analysis is still best done with a tool made for 
doing just that.  Just running snort with all of the default signatures 
will provide you with huge haystack of data - and finding any needles 
won't be as easy as you'd think without a proper analysis tool.


More information about the Snort-users mailing list