|
Snort, Rules
Hey! =)
My question: If I only want that snort shall log only one specified rule like "scan.rules" or "ftp.rules" Then, how can i configure that? Im runing my snort at the command: snort -dv -c /etc/snort.snort.conf, but I want to be more specified at my rules. Im runing snort-mysql with ACID, works perfect, but It alert to much =) Tanx for answer! BTW! Dont run snort at Fedora Core 2, It sux a lot. I swiched to Debian and Its works perfect. |
Comment out the rest of the rules at the bottom of the snort.conf file and restart snort. though alerts will still be generated by any pre-processors. Might help if you posted some examples of the alerts. If it's one particular type of alert or one particular host you can usually fine tune the config or write a pass/bpf rule to avoid excess alerts or FPs.
|
| All times are GMT -5. The time now is 02:54 PM. |