mike Hughes said:
> Whats Up!
>
> I have Bind9 and the snort 1.9.1 running on my Linux 7.3 machine. But

> "/var/log/snort/206.204.10.200"
> "/var/log/snort/206.204.10.200/ICMP_ECHO"

>             // Queries. Duh.
>             category queries { named_info; };

change from named_info; to null;

this is my log config for BIND 8 (seems similar to BIND9)

logging {
  channel chroot_default {
  file "log/named.log" versions 3 size 10m;
  print-time yes;
  print-category yes;
  severity info;
  };
  channel chroot_debug {
  file "log/debug.log" versions 3 size 10m;
  print-time yes;
  print-category yes;
  severity dynamic;
  };

  channel syslog_server {
  syslog daemon;
  print-category yes;
  severity info;
  };
category default { syslog_server; };
category panic { syslog_server; };
category packet { chroot_debug; };
category lame-servers { null; };
category queries { null; };
category statistics { syslog_server; };
category config { syslog_server; };
category parser { syslog_server; };
category ncache { syslog_server; };
category xfer-in { syslog_server; };
category xfer-out { syslog_server; };
category db { syslog_server; };
category eventlib { chroot_default; };
category notify { syslog_server; };
category cname { syslog_server; };
category security { syslog_server; };
category os { syslog_server; };
category insist { syslog_server; };
category maintenance { syslog_server; };
category load { syslog_server; };
category response-checks { syslog_server; };
};

I run my BIND with /usr/sbin/named -u named -g named -t /etc/bind
(on debian systems)

be sure to restart BIND after changing the config.

as for snort, you must tune it. see the snort docs on how to do this.
I use PureSecure(www.demarc.com) for my snort, works extremely well.

nate





-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to