[Techtalk] SNORT setup
Raven, corporate courtesan
raven at oneeyedcrow.net
Tue May 14 20:19:39 EST 2002
Heya --
Quoth James (Sun, May 12, 2002 at 07:46:14PM -0400):
> I have a SNORT sensor watching our /24. However, it doesn't seem to
> be picking up a lot of attacks. For example, I only see SOCKS 1080
> probes that occur directly to the SNORT sensor, not any of our
> servers. Is there anyway to make the sensor more sensitive to this?
With Snort, most everything of what you see depends on your
ruleset. Could you post your rules here (or, if they're really long,
trim out the nonrelevant parts)? Also, how are you invoking Snort
originally? That can have a bearing on how it operates.
I'm wondering if your SOCKS rule is something like "alert tcp
any any -> the.sensor 1080 (do stuff)" rather than "alert tcp any any ->
my.netblock 1080 (do stuff)".
> I seem to remember a long time ago I had it setup and it used to detect
> more attacks. The sensor is working, as I always get to see oodles of
> CodeRed/Nimda traffic :rolleyes:.
CodeRed and Nimda are likely handled by an entirely different
rule. Take a look at snort.conf and we'll figure out your ruleset.
Cheers,
Raven
"You found the Amulet of Yendor!"
More information about the Techtalk
mailing list