[Snort-users] snort installation and usage

waldo kitty wkitty42 at ...14940...
Sat Jan 18 19:57:48 EST 2014


On 1/18/2014 1:48 PM, Adrian Sevcenco wrote:

> This confirmation is enough :) Thanks!

you are welcome ;)

> OTOH, how do you use snort? is there a GUI of some kind that can be an
> direct visual interface for the snort data? (without the intermediate
> database?)

no... our operation reads snort's default ALERT file directly and issues 
automatic firewall blocking commands based on our app's configuration and the 
alert's level of severity... as with any other security setup, this requires 
tuning for one's network and its traffic... in our setup, the only human 
interaction is to white list IPs or rules by GID/SID or whole entire GID groups...

for our users that have the time to perform the necessary tuning, this works 
great... for those that don't have the time to tune or don't have the time to 
learn what's needed to know to decide what method to use to tune (eg: you can 
white list by IP, SID or GID and each can be done in one of several places which 
give different benefits or drawbacks), it can be a bit of a hassle and lead to 
quite some complaints due to a lack of understanding...

our app is not something that you set and forget... it requires human tuning for 
the first "while" of use... "while" may be days or months... it is generally not 
something that a support service can offer unless they can get intimate with 
their clients' networks and stay intimate with that network until the tuning is 
done...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list