[Techtalk] SNORT setup
Dushyanth Harinath
dushy at symonds.net
Sun May 12 22:47:02 EST 2002
Hi James ,
* On 12'th May 2002 07:46:14 PM you wrote :
> I have a SNORT sensor watching our /24. However, it doesn't seem to be
> picking up a lot of attacks.
>
> For example, I only see SOCKS 1080 probes that occur directly to the
> SNORT sensor, not any of our servers. Is there anyway to make the
> sensor more sensitive to this?
>
> I seem to remember a long time ago I had it setup and it used to detect
> more attacks. The sensor is working, as I always get to see oodles of
> CodeRed/Nimda traffic :rolleyes:.
Normally, if you can see this CodeRed/Nimda alerts then it should'nt be
missing any other alerts, but ofcourse this depends on your rule sets.
You can check snort status by giving a SIGUSR1 signal to snort, this
will print the status messages to /var/log/messages. Look whether it is
dropping packets.
#kill -SIGUSR1 <pid of snort>
BTW, Which version of snort are you running, I hope its the latest
stable version because there has been a lot of improvements to the code
as well as rules.
HTH
cheers
dushyanth
--
I hear if you play the NT 4.0 CD backwards, you get a Satanic message.
That's nothing. If you play it forward, it installs NT 4.0.
Dushyanth Harinath
Archean Infotech Ltd
http://www.archeanit.com
http://symonds.net/~dushy
More information about the Techtalk
mailing list