LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Snort, Rules (http://www.linuxquestions.org/questions/linux-security-4/snort-rules-266240/)

Tredo 12-14-2004 07:40 AM

Snort, Rules
 
Hey! =)

My question:

If I only want that snort shall log only one specified rule like "scan.rules" or "ftp.rules"

Then, how can i configure that?

Im runing my snort at the command: snort -dv -c /etc/snort.snort.conf, but I want to be more specified at my rules.

Im runing snort-mysql with ACID, works perfect, but It alert to much =)

Tanx for answer!

BTW! Dont run snort at Fedora Core 2, It sux a lot. I swiched to Debian and Its works perfect.

Capt_Caveman 12-20-2004 01:36 AM

Comment out the rest of the rules at the bottom of the snort.conf file and restart snort. though alerts will still be generated by any pre-processors. Might help if you posted some examples of the alerts. If it's one particular type of alert or one particular host you can usually fine tune the config or write a pass/bpf rule to avoid excess alerts or FPs.


All times are GMT -5. The time now is 10:49 PM.