Snort - syslog, docs & packages [longish]
Okay, I'm trying to get to know the pig. I've only just installed it and
have done no modifications to the default install other than answer
debconf's questions. I notice that my snort-monitored interface leaves
promiscuous mode and enters it again five seconds later. I'm assuming
this is from the "/etc/cron.daily/5snort" script (supplied by the
package) issuing it's /etc/init.d/snort restart on line 28.
[syslog] Is there any reason why I shouldn't add a line that sends to
syslog a message about Snort restarting before the restart is given (or
that it shouldn't be included by default)? I ask this because I had
been using an older NIC at the external interface and it was regularly
choking and dropping out of promiscuous mode and, for a while, I don't
know why. Logging the restart would at least document that it was a
planned mode change.
[docs] I haven't delved into the docs, yet. I've got the what is
supplied by snort-doc and the snort.org site. Are there any other good
recommended references?
[packages] Also, I notice that snort is also suffering from poor package
descriptions. snort, snort-common, snort-doc, snort-mysql and
snort-rules-default all seem to have the following:
Description: Flexible NIDS (Network Intrusion Detection System)
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules
based logging and can perform content searching/matching in addition
to being used to detect a variety of other attacks and probes, such
as buffer overflows, stealth port scans, CGI attacks, SMB probes, and
much more. Snort has a real-time alerting capability, with alerts being
sent to syslog, a separate "alert" file, or even to a Windows computer
via Samba.
... which doesn't really help a newbie like me differentiate between the
pieces.
Reply to: