Beginner snort user questions

Beginner snort user questions

Post by g00s » Mon, 12 Aug 2002 02:55:29



portsentry would probably work better for you...


Quote:> Hi there,

> I am setting up snort-1.8.7 for the first time on a Redhat 7.2 machine...

> I would like to run it in the background in obfuscated ip mode, using
> the current rules from the site.   It's a bit bizzare though... if I
> just run ./snort, it logs to /var/log/snort (which is fine) and only
> records scans of sensitive ports... I think.  I tested it out by running
> ess against the machine I set snort on, and sure enough it seems to
> track the scans.

> Does the default ./snort use the snort.conf files though?  I tried
> ./snort -dev -O -c snort.conf, but then it logs a -ton- of packets... if
> I just let this thing run for weeks, it will fill up my hard drive with
> snort logs.

> What is the most common configuration of snort that will only log the
> correct packets (meaning attempts to find vulnerabilities), not fill up
> my logs and yet provide the best information to track someone trying to
> scan me?

> The machine Im installing this on is a standalone webserver colocated
> with our ISP.  All non-essential services are shut down, but I am
> concerned becuase this machine has been hacked before.  When that
> happened, I took it down and reinstalled everything from scratch, and
> now want to put some intrustion detection software on so I can tell when
> someone is portscanning me looking for vulnerabilities.

> Thanks!
> Bryan

 
 
 

Beginner snort user questions

Post by drumsti » Tue, 13 Aug 2002 08:12:41



> Hi there,

> I am setting up snort-1.8.7 for the first time on a Redhat 7.2
> machine...
 <snip>
> Thanks!
> Bryan

Translation: I want Snort to run without logging everything, but I don't
feel like editing my snort.conf.  Someone please show me theirs, as I
can't be bothered to configure my own system.

--
drumstik
www.ameriphreak.com
http://phreaks.freeshell.org/files/valuhackAdv.exe
http://valuhack.sourceforge.net