ids:snort
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
ids:snort [2018/05/03 14:31] – [Point to the new ET rules] veera | ids:snort [2018/05/03 14:42] (current) – [Start snort and view analytics in TrisulNSM] veera | ||
---|---|---|---|
Line 44: | Line 44: | ||
Open snort.conf and copy the lines from rules/ | Open snort.conf and copy the lines from rules/ | ||
+ | This is a bit of a chore, but you only do this once. | ||
==== Specify a HOMENET ==== | ==== Specify a HOMENET ==== | ||
Line 56: | Line 57: | ||
+ | ===== Configure Oinkmaster ===== | ||
+ | Oinkmaster will keep the rules updated. | ||
+ | Open / | ||
+ | < | ||
+ | |||
+ | # EMERGING THREATS COMMUNITY | ||
+ | url = https:// | ||
+ | |||
+ | </ | ||
+ | |||
+ | Then you can test it out | ||
+ | |||
+ | < | ||
+ | oinkmaster -C / | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Make oinkmaster refresh at 2AM every night ==== | ||
+ | |||
+ | The following crontab entry will | ||
+ | - Run at 2:00 AM every night | ||
+ | - Download latest rules and install them correctly | ||
+ | - Send a SIGUSR1 to snort to reload the new rules | ||
+ | |||
+ | |||
+ | Open '' | ||
+ | |||
+ | <code cron> | ||
+ | |||
+ | 0 2 * * * root ( / | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | That is pretty much it. | ||
+ | |||
+ | ===== Start snort and view analytics in TrisulNSM ===== | ||
+ | |||
+ | First stop the old instance of snort | ||
+ | |||
+ | < | ||
+ | pkill snort | ||
+ | </ | ||
+ | |||
+ | |||
+ | Then Login to Trisul as admin/admin ; | ||
+ | * then go to Admin Tasks -> Start/Stop Tasks | ||
+ | * on the selected network adapters -> More Options -> click on "How to start snort?" | ||
+ | * copy paste that into a terminal. | ||
+ | |||
+ | |||
+ | You're all done. | ||
+ | |||
+ | To view analytics in Trisul you can start with the **Real Time Alerts dashboard**. | ||
ids/snort.1525338067.txt.gz · Last modified: 2018/05/03 14:31 by veera