Snort

From Notes

Jump to: navigation, search

Snort is an open source intrusion detection system (IDS) which is widely used. Many systems are configured with ACID (Analysis Console for Intrusion Detection) as the system used to view and manipulate alerts. This system is widely viewed as slow and cubersome. Something that I'd like to try in the near future is Sguil, which is written in tcl/tk and shows lots of promise.

Snort with ACID (out-dated)

Snort with BASE

Snort with Sguil

Cleanup Snort Alerts from MySQL


Tips!

To ensure proper reporting, force sensors to report their hostname and interface by inserting these values into the snort.conf output line. This will prevent the unknown:eth0 or unknown:eth1 lines in your alerts and sensor output. 

output database: alert, mysql, user=snort password=<pass> dbname=snort host=<host> sensor_name=<hostname>:eth0
Retrieved from "http://www.itsecureadmin.com/wiki/index.php/Snort"
Personal tools