[Snort-users] Snorby usage

Doug Burks doug.burks at ...11827...
Wed Nov 5 17:26:26 EST 2014


Hi Pradeep,

Replies inline.

On Wed, Nov 5, 2014 at 4:51 PM, Pradeep Mocherla <saipradeep7 at ...11827...> wrote:
> Hi, I'm new to snorby. I'm doing a project where I need to create 3 machines
> to be installed in a virtual box. One for attacking, one more for observing
> and other one as a victim. Now I'm using security onion for observing
> attacks, Kali Linux to attack and again linux as a victim. Now I have few
> doubt's regarding usage of snorby in security onion.
> How to set the ids to monitor the victim IP address that is Linux address
> I.e where do I need to change the setting.

Please see:
https://code.google.com/p/security-onion/wiki/PostInstallation

"If you’re monitoring IP address ranges other than private RFC1918
address space (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12), you should
update your sensor configuration with the correct IP ranges. Sensor
configuration files can be found in /etc/nsm/HOSTNAME-INTERFACE/.
Modify either snort.conf or suricata.yaml (depending on which IDS
engine you chose during sosetup) and update the HOME_NET variable. "

> Second one, how to change the rules to snorby or view the rules in snorby??

Please see:
https://code.google.com/p/security-onion/wiki/ManagingAlerts
https://code.google.com/p/security-onion/wiki/AddingLocalRules

If you have further questions or problems relating to Security Onion,
please use the security-onion Google Group:
https://code.google.com/p/security-onion/wiki/MailingLists


-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com




More information about the Snort-users mailing list