Re: [Snort-users] Snort Implementation
This is a discussion on Re: [Snort-users] Snort Implementation within the Snort forums, part of the System Security and Security Related category; At 03:29 AM 1/13/2004, yyyyyy yaher wrote: >1-What is the most stable version of Snort ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-13-2004
|
|||
|
|||
Re: [Snort-users] Snort Implementation
At 03:29 AM 1/13/2004, yyyyyy yaher wrote:
>1-What is the most stable version of Snort that have >been tested ? 2.10 is the most recent stable release, but it has some issues with alert mangling in some cases. I might wait for 2.1.1 before switching to the 2.1.x series. 2.0.6 is a bit more "well tested: >2- is it possible to get Snort running on Linux >Redhat without installing Mysql and ACID ? do i get >all the Alerts generated by Snort in that case? and >wthat is the impact on Snort Performance ? Sure,.. acid/mysql is just one popular management interface. Snort can log to mysql, flat file, or syslog, your choice. I personally use flat file logging, and tcpdump format packet logging. >3- what are the basic commands to run Snort in IDS >mode in order to capture and analyze packets and >generates Alerts in simple format ? snort -D -c /etc/snort.conf The "commands" are all in your snort.conf file.. the snort tarball comes with a snort.conf which has most all of the settings documented in it. Start with that as a template and edit it to your needs. >and how can i >optimize its function in orderto filter the false >positives messages and get only the real Threats? tweak the rules that are included by your snort.conf >4-does snort.conf is updated with the most rules >regarding recent attacks and worms ? and how could i >verify that ? you can download an updated snort.conf and *.rules from the snort.org website. Oinkmaster is a popular rule management tool to automate the updates. >5- our ISP can serve Dialup and Corporate( such as >wave-wireless and leased line ) customers by Two Cisco >7200 routers connecting all these customers to >Internet; our services ( DNS, Billing servers >,Radiator,WWW server ,..) are proteced by a PIX >firewall, however the proxies are running on the >Outside interface, so where is the best place to put >Snort sensor in order to get a clear idea about what s >happening and react immediately to block the threat? If you only have one, stick it's tap out front where it can see everything. However, I'd advise that the sniffing interface be a stealth type interface that does not allow normal communications. Use a second interface connected behind the pix to support login, web interfaces, etc. ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
