[Snort-users] Setting up simple LAN-sniffing for bad signatures?

Jeremy Hoel jthoel at ...11827...
Fri Jan 2 22:26:21 EST 2015


Please reply to the list.

"All bad traffic" is variable for different people and different networks.
One person might not mind Tor or P2P traffic and another will block all
social media. There is no one size fits all solution.

If you look at the snort.conf file near the bottom you can see the rules
files that can get loaded. Pulledpork is a tool to automatically get rules
from sources and modify them together of needed and then restart snort.
Its config file lists URLs from VRTs community rulset and Emerging Threats
free ruleset. Check out those sources of rules and then enable the ones you
want to use.

If you want to use custom rules, the default is to put them in local.rules.
On Jan 2, 2015 7:51 PM, "PattiMichelle" <miche1 at ...741...> wrote:

>  Thanks, Jeremy - I guess I would like to "sniff" for all known bad
> traffic.  Krebs put out a Snort signature for the Sony hack software.  So
> it would be good if it could be a text file of rules.  Do you know of a DIY
> online for doing this?  I don't really understand the terminology.  I
> thought I understood pulledpork, but for some reason I'm not.
>
> Patricia
>
> On 01/02/2015 01:35 PM, Jeremy Hoel wrote:
>
> If you just want to look for bad traffic that you are specifying and not
> using rules from VRT or ET, then you just want to make local.rules and have
> snort read that.  It's not a database per se, but just a text file that you
> create the rules in.  If it's the logging you are having problems with, you
> ned to specify how you want the output to go.. to a unified2 file, syslog
> or text file.
>
>  You can sniff and manage on the same interface, though it's not
> recommended for production to do it that way.
>
>
>
> On Fri, Jan 2, 2015 at 2:18 PM, PattiMichelle <miche1 at ...741...>
> wrote:
>
>>  Dear Snort Users:  I'm trying to figure out how to set up Snort on my
>> Opensuse 13.1x64 system to sniff (and log) instances of "bad" network
>> traffic (via snort signature database).  It seems tricky to get this
>> going.  There are websites which gave me enough information to get the
>> sniffer operational, but I can't seem to figure out how to get to read a
>> database of bad signatures, and log only those bad ones.  Does anyone have
>> a simple DIY for this?  I'm not trying to set up an alarm or automatic
>> response system.  Just to have a logfile available to look at from time to
>> time, or maybe diff occasionally.
>>
>> Also, is it necessary to run snort in a virtual machine as a "sandbox,"
>> or else to have two NICs, one for normal LAN traffic and the other for
>> Snort?
>>
>> Thank You Very Much,
>> Patricia
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming! The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150102/d6e95e43/attachment.html>


More information about the Snort-users mailing list