a snort question??
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: a snort question??

  1. #1
    Senior Member
    Join Date
    Sep 2003
    Posts
    161

    a snort question??

    is snort able to block intrusions or is it just a logger??

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I'm pretty sure that snort will just log all intrusions, and suspicious activity on the network. You just have right a rule, for what you want it to alert you to.
    =

  3. #3
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    so i will just log and not stop an attack.
    one more question, does snort log all the packets or just the suspicous ones.

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Snort logs activity based on the defined rulesets....you can create custom rules if you wish...

    everything you need to know is here: http://www.snort.org/docs/

  5. #5
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    It will only log what it considers an attack. I'm sure you can set it to log whatever you want. I think they have rules that are updated for download to define an attack. Basically it logs what you tell it to log.

  6. #6
    Senior Member
    Join Date
    Nov 2003
    Posts
    247
    It should just log suspicious packets and activity in general, although I am sure you could modify the source code quite easily so that it would log everything, or perhaps modify the rules of it.

    I don't think you want it to log all packets, without atleast a log of just the suspicious ones. Reviewing it will be a pain.
    www.ADigitalPimp.com
    There is a ghost in the machine, and he is my friend.

  7. #7
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    i know i could creat rules, but will they stop the attacks or just detect them??

  8. #8
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    Just detect them. Basically you will just get an alert that you are being attacked. Then you have to figure out for yourself how to stop it. I recommend pulling your network cable, or the plug from the wall. Then that attack is logged:
    1.11 Does Snort log the full packets that it generates alerts?

    Yes, the packets should be in the directory that has the same IP address as the
    source host of the packet which generated the alert. If you are using binary
    logging, there will be a packet capture file (.pcap) in the logging directory
    instead.

  9. #9
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    There are addons to make snort actively respond to alerts. I would be a bit leary of them though...
    http://www.chaotic.org/guardian/
    http://www.linuxsecurity.com/feature...e-printer.html

    Seems to me that this system could be fooled by false positives, and essentially create a denial of service. I have not looked into it very closely though.

  10. #10
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    snort is an IDS (Intrusion Detection System) It detects intrusions. To stop them, you use a firewall, like ipchains or something along those lines.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •