If I only want that snort shall log only one specified rule like "scan.rules" or "ftp.rules"
Then, how can i configure that?
Im runing my snort at the command: snort -dv -c /etc/snort.snort.conf, but I want to be more specified at my rules.
Im runing snort-mysql with ACID, works perfect, but It alert to much =)
Tanx for answer!
BTW! Dont run snort at Fedora Core 2, It sux a lot. I swiched to Debian and Its works perfect.
Comment out the rest of the rules at the bottom of the snort.conf file and restart snort. though alerts will still be generated by any pre-processors. Might help if you posted some examples of the alerts. If it's one particular type of alert or one particular host you can usually fine tune the config or write a pass/bpf rule to avoid excess alerts or FPs.
|All times are GMT -5. The time now is 10:49 PM.|