'Re: [Snort-users] Snort signautures'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] Snort signautures
From:       Erek Adams <erek () snort ! org>
Date:       2003-02-28 20:19:39
[Download RAW message or body]

On Fri, 28 Feb 2003, SUDAGER BILKHU wrote:

> I have recently set up Snort as part of my final year project at
> University.  I have configured Snort to monitor traffic between 4
> computers, to demonstarte how Snort detects unauthorised traffic.
>
> My first question is, where can I find documentation on determining what
> the signatures I receive mean?

http://www.snort.org/snort-db/

> Secondly are there a number of commands that I should use to tell Snort
> to start monitoring?

Yes, there are.

To dump traffic, you use 'sniffer mode'.  To search for attacks, you use
IDS mode.  Check the USAGE file and the first chapter of the docs [0].
When using IDS mode, you will need to configure snort.conf.  Read it's
inline comments.

> How do I perform a port scan?

*shrug*  However you want.  Nmap, Nessus, GRC.com, Shieldsup, whatever.
Doesn't matter.

> Thirdly I downloaded a front end for my Snort system.  The file is
> called idscenter.zip.  It was downloaded from the download section on
> snort.org, in the add ons section under front ends.  There is no
> documentation with this.  Does anybody use such a system and if so do
> they know where I can get documentation.

Until you have Snort running, my honest suggestion is to forget about a
frontend.  If you are using this for a final at a University and they ask
"How do you enable or disable rules?" and your answer is "Click on the
check box in the GUI." do you think your professor would consider that a
"right" answer?  :)

> I would really appreciate any kind of feedback.  I am at the moment only
> a novice but have been reading a lot about Snort and want to find out
> more.

No trouble at all...

Two things I suggest:

	RTFM :) [0]
	RTFF :) [1]

There's _tons_ of useful stuff there.  If you are still lost, then you
might want to check the mailing list archives [2] since there's quite a
large subscriber base, and someone else may have had that same question.

Cheers and good luck on your project!  :)

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://www.snort.org/docs/writing_rules/
[1]	http://www.snort.org/docs/faq.html
[2]	http://marc.theaimsgroup.com/?l=snort-users&r=1&w=2


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic