On Thu, Mar 20, 2003 at 04:46:30PM -0800, mike Hughes wrote: > Whats Up! > > think they are suppose to be there??? > > "/var/log/snort/206.204.10.200" > "/var/log/snort/206.204.10.200/ICMP_ECHO" > "/var/log/snort/206.204.10.200/TCP:4325-1080" > "/var/log/snort/206.204.10.200/TCP:5097-1080" > "/var/log/snort/66.134.127.35" > "/var/log/snort/66.134.127.35/UDP:4866-1434" > "/var/log/snort/212.244.158.151" > "/var/log/snort/212.244.158.151/UDP:1706-1434" > "/var/log/snort/65.54.248.22" > "/var/log/snort/65.54.248.22/ICMP_UNRCH_PACKET_FILT" > "/var/log/snort/217.57.54.226" > "/var/log/snort/217.57.54.226/UDP:2133-1434" > "/var/log/snort/4.60.127.39" > "/var/log/snort/4.60.127.39/ICMP_ECHO" > > > How can i cut down on all this logging!!!
Yeah. This happens if you make snotr log to the filesystem. You'll be be better off in the long run setting up a database (I use mysql, but there is support for postgresql and even mssql). Also, if you setup the ACID console you will get much more meaningful information, and more manageability over it. Also, during the first time check the false positives you get, and see if you can setup exclusion rules for that traffic, so you get less irrelevant alerts. Doing this, I managed to suppress about 50000 thousand false positives/day. Most notably, I have found that traffic internal to a LAN is quite full of stuff that snort believes to be attacks, so I would strongly advise to place your snort sensor outside your firewall. Cheers, -- Javier Gostling D. <[EMAIL PROTECTED]> -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
