[Snort-users] snort on OSSIM

Crook, Parker Parker_Crook at ...14786...
Tue Mar 16 14:41:03 EDT 2010


Kaushal,

Ray is correct - I was using Snort on OSSIM for a quite a while and the snort files are located in /etc/snort.  As far as tuning snort, you would still need to define your variables in the snort.ethX.conf file, where ethX is the configuration file Snort will use for the respective interface.

As far as configuring goes, there is a snort.debian.conf file that you can use to set some of your options (example contents below):

#this sets $HOME_NET in command-line call - leave empty if $HOME_NET is set #in you config file, else, define here.
DEBIAN_SNORT_HOME_NET="192.168.0.0/16,1.2.3.0/24"
#listen on eth1, eth2, and eth3 - starts multiple instances of snort, using #their respective config files
DEBIAN_SNORT_INTERFACE="eth1,eth2,eth3"
#use Berkley Packet Filter file
DEBIAN_SNORT_OPTIONS="-F bpf.filt"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"

Now, stepping outside of talking about Snort, if you are using OSSIM in all-in-one mode, then your output module for Snort should already be configured and logging to your database out of the box (otherwise you will need to setup the sensor->server communication channel in the OSSIM configs).  You can view alerts from Snort on the webpage under Events->Alerts I believe...

Hope this helps,
Parker Crook

-----Original Message-----
From: Ray Caparros [mailto:arcy24 at ...11827...]
Sent: Tuesday, March 16, 2010 12:19 PM
To: Kaushal Shriyan
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort on OSSIM

Kaushal,

 I believe the snort instance in OSSIM is located at /etc/snort.
Here's the link on their forum https://www.alienvault.com/forum/

-Ray

On Tue, Mar 16, 2010 at 11:29 AM, Kaushal Shriyan
<kaushalshriyan at ...11827...> wrote:
> Hi
>
> I am newbie to snort. On what parameters or basis do i need to
> configure ruleset in snort. I am using snort under OSSIM Application.
>
> Please suggest/guide.
>
> Thanks and Regards,
>
> Kaushal
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list