portsentry would probably work better for you...
Quote:> Hi there,
> I am setting up snort-1.8.7 for the first time on a Redhat 7.2 machine...
> I would like to run it in the background in obfuscated ip mode, using
> the current rules from the site. It's a bit bizzare though... if I
> just run ./snort, it logs to /var/log/snort (which is fine) and only
> records scans of sensitive ports... I think. I tested it out by running
> ess against the machine I set snort on, and sure enough it seems to
> track the scans.
> Does the default ./snort use the snort.conf files though? I tried
> ./snort -dev -O -c snort.conf, but then it logs a -ton- of packets... if
> I just let this thing run for weeks, it will fill up my hard drive with
> snort logs.
> What is the most common configuration of snort that will only log the
> correct packets (meaning attempts to find vulnerabilities), not fill up
> my logs and yet provide the best information to track someone trying to
> scan me?
> The machine Im installing this on is a standalone webserver colocated
> with our ISP. All non-essential services are shut down, but I am
> concerned becuase this machine has been hacked before. When that
> happened, I took it down and reinstalled everything from scratch, and
> now want to put some intrustion detection software on so I can tell when
> someone is portscanning me looking for vulnerabilities.