[Snort-users] snort on OSSIM

Crook, Parker Parker_Crook at ...14786...
Wed Mar 17 10:39:05 EDT 2010


I see at https://www.alienvault.com/forum/index.php?t=msg&th=1755&start=0&S=b8d60b94e6c1d460ebf808dfc78343a5 that you couldn't find where this used to be, under Configuration->Plugins.  I have not used 2.2, so I don't know where to change the priorities or reliability for rules in this case, as that is where it used to be.  Each of the rules should have a priority setting and a reliability that you can adjust, but usually the default levels are pretty spot-on for what you need.  Keep in mind though, that if you want to stop getting an alert for a certain rule from Snort, you are better off using thresholding or suppression (via Snort, aka backend).  If you want to raise the reliability or the priority though, that is where I would recommend making the change via the OSSIM web interface.  As far as where to do that now, you may want to email Dominique Karg over at Alienvault.


-----Original Message-----
From: Kaushal Shriyan [mailto:kaushalshriyan at ...11827...]
Sent: Wednesday, March 17, 2010 9:38 AM
To: Crook, Parker
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort on OSSIM

On Wed, Mar 17, 2010 at 6:50 PM, Crook, Parker <Parker_Crook at ...14786...> wrote:
> Kaushal,
> I honestly don't think you can configure Snort via the OSSIM web interface -- since there are only a number of settings that are passed from the OSSIM configs to the snort.debian.conf file it would stand to reason that OSSIM itself is not reading the snort.conf file to pass it up to the webpage (since OSSIM never touches the file, but instead evokes the settings in the snort.debian.conf as command-line options).
> Pretty much the only thing you can configure in the web interface for Snort is the priority and reliability of the rules.
> -Parker

Hi Parker,

Thanks for the quick reply.

where do i configure in the web interface for Snort the priority and
reliability of the rules ? I checked under Configuration > Collection.

Could not locate it. I am using OSSIM 2.2

Please guide.

Thanks and Regards,


More information about the Snort-users mailing list