Re: [Snort-users] SnortSam - a few questions
This is a discussion on Re: [Snort-users] SnortSam - a few questions within the Snort forums, part of the System Security and Security Related category; --=-D31ekf2PtsAK0jqF+pnB Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2003-09-26 at 12:35, zottmann@...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-26-2003
|
|||
|
|||
Re: [Snort-users] SnortSam - a few questions
--=-D31ekf2PtsAK0jqF+pnB Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2003-09-26 at 12:35, zottmann@ig.com.br wrote: > I have two questions regardins SnortSam, though:=20 >=20 > 1) Is there a list of "proven" attack rules, that we can use as a basis f= or=20 > configuring these rules to use SnortSam to block the attackers at the=20 > firewall?=20 Not really. It is up to each individual operator what rules he chooses to block on. False-positives are different between each individual network, so only you know which rules safe to block on in your network. > 2) Although SnortSam is working fine, we dont get the alerts on Acid=20 > regarding the rule that we have chosen for the SnortSam test. Do we have = to=20 > duplicate the rules that we chose to run with SnortSam, or there is anoth= er=20 > way to get Acid alerts for these rules too?=20 There is nothing special that needs to be done. Snortsam is an alert output plugin, so every alert rule that also has a fwsam option in it will block. If these alerts are also sent to your ACID database then you should see them. Log rules don't invoke Snortsam. So if you want to log details to a db and call Snortsam, you would have to create a custom rule type that include both the database plugin and the Snortsam plugin. Hope this helps, Frank --=-D31ekf2PtsAK0jqF+pnB Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQA/dJARpo+MRgtrF98RAqQqAKCQEiCWhF0YuFdloujoNM43/xvdkgCfSMap O7uNAVZ0dwkXEnsJHoQ5iRQ= =iNwE -----END PGP SIGNATURE----- --=-D31ekf2PtsAK0jqF+pnB-- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
