[Snort-users] Help newb understand how Snort is supposed to run.
John C. Silvia
john at ...13282...
Thu Aug 25 08:30:30 EDT 2005
Chris W. Parker wrote:
>My intent is to get a better idea of what kind of traffic is traversing
>my network. I don't know what kind of attacks I'm on the look out for
>but I was hoping Snort would let me know (using the rule files). Of
>course I expect to learn more as I go along.
Chris, another tool you should take a look at is called ntop. When run,
ntop sniff's the network and categorizes the traffic by type, source,
destination, protocol, Etc. It's not an IDS, but it provides a nice
web-based interface for seeing what's going on through traffic summaries.
Another neat tool for seeing what's going on in a network is a live view
tool called etherape, which draws the traffic as lines connecting IP's,
thickness in bandwidth, protocol in color.
Both of these tools are excellent for seeing, at the most basic level,
what is going on. They'll also tell you what kind of attacks you should
be looking for as well.
Once you have an idea what's going on, Snort can then look "under the
hood" for you - but analysis is still best done with a tool made for
doing just that. Just running snort with all of the default signatures
will provide you with huge haystack of data - and finding any needles
won't be as easy as you'd think without a proper analysis tool.
More information about the Snort-users