[Techtalk] SNORT setup

Dushyanth Harinath dushy at symonds.net
Sun May 12 22:47:02 EST 2002


Hi James , 

 * On 12'th May 2002 07:46:14 PM you wrote :
> I have a SNORT sensor watching our /24.  However, it doesn't seem to be
> picking up a lot of attacks.  
> 
> For example, I only see SOCKS 1080 probes that occur directly to the
> SNORT sensor, not any of our servers.  Is there anyway to make the
> sensor more sensitive to this?
> 
> I seem to remember a long time ago I had it setup and it used to detect
> more attacks.  The sensor is working, as I always get to see oodles of
> CodeRed/Nimda traffic :rolleyes:.

Normally, if you can see this CodeRed/Nimda alerts then it should'nt be
missing any other alerts, but ofcourse this depends on your rule sets.
You can check snort status by giving a SIGUSR1 signal to snort, this
will print the status messages to /var/log/messages. Look whether it is
dropping packets.

#kill -SIGUSR1 <pid of snort>

BTW, Which version of snort are you running, I hope its the latest
stable version because there has been a lot of improvements to the code
as well as rules.

HTH
cheers
dushyanth
-- 
I hear if you play the NT 4.0 CD backwards, you get a Satanic message.
That's nothing. If you play it forward, it installs NT 4.0.

Dushyanth Harinath
Archean Infotech Ltd
http://www.archeanit.com
http://symonds.net/~dushy



More information about the Techtalk mailing list