Re: [Snort-users] Snort signautures (understanding snort output)

From: Matt Kettler <mkettler(at)evi-inc.com>
Date: Fri Feb 28 2003 - 16:02:15 EST

1. For many signatures you can get some documentation by going to the snort.org website and entering the SID number of the rule into the "rules documentation" part.

Note that none of this will be a "simple" explanation, because there is no simple explanation possible. You're looking at output from the analysis of an inherently complicated problem.

If the messages in most of the snort alerts don't mean anything to you right away, you might want to read an old post on this subject I made, it's very well written, and very thorough about the kinds of things a snort-admin should know about networks.

That message is web-archived here:
http://archives.neohapsis.com/archives/snort/2002-12/0474.html

2) nope, you just need to start snort and give it a config file, after properly editing the snort.conf to include proper definitions for things like HOME_NET. You might want to use some commandline switches to tell it what interface to listen on, etc, but these are all fairly straightforward if you read the manpage for snort.

3) I can't help you with idscenter, I've never used it.

At 01:43 PM 2/28/2003 +0000, SUDAGER BILKHU wrote:
>Hi all,

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Fri Feb 28 16:08:38 2003