-
February 22nd, 2004, 07:07 PM
#1
Member
Snort Montioring (one host vs. network)
ahh.. Snort is a great tool. Takes some time to learn and get comfortable with, but it's worth it.
Question for someone that knows more than I:
- Snort is logging events and alerts on more than just my WinXP box.. I have the $HOME_NET variable set to $(\Device\NPF\_{my NIC interface name}_ADDRESS) in Snort.conf. I do this because I have a dynamic IP address (this is a laptop). Is there something else I must do to restrict alerts and events to my IP address only?
Also, has the spp_portscan.log file been depreciated and replaced by the flow-portscan preprocessor? I'd like to generate a portscan.log file for use with ACID, but the general portscan processor isn't in the conf file (perhaps I can just place it there?)
Mucho Thankso,
l00p
-
February 22nd, 2004, 07:33 PM
#2
I don't think that there is much you can do with the dynamic address issue unless you are always on the same network in which case you could assign a DHCP reservation for your MAC address.
I'm using Snort 2.x and it drops it's portscan log from the new preprocessor right in the working directory of Snort. I don't use ACID any more so I don't remember if you can configure it to use a specific file.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 22nd, 2004, 07:40 PM
#3
Member
What options do you use for the flow-portscan processor? My starts off ok, but gives me three warning messages (saying the command line rules override the plugin alert). I don't know why.. and the flow-portscan documentation doesn't help at all..
l00p
-
February 22nd, 2004, 07:46 PM
#4
Which startup options are you using?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 22nd, 2004, 10:30 PM
#5
Member
snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1
I haven't added anything interesting to the rules file aside from what's already in there. I've enabled (almost) all the options under the flow-portscan processor...
l00p
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|