Re: Snort config
On Fri, 18 May 2001, Iwan Mouwen wrote: > * John Galt <[EMAIL PROTECTED]> [010516 15:24]: > > >DEBIAN_SNORT_STATS_RCPT="root" > > ^ > > Change this just on principle: using root to check system email is just > > another thing you can do as a user and not have to be logged in as root so > > much... > > > > Why? > > # vi /etc/aliases > root: Agreed. IMHO, this is the right way to do things. Send all maintainance and administrative email to root and set /etc/(sendmail/)aliases accordingly. Then if the administrator changes from foo to bar, you only have one file to change. The exception would be if you have multiple administrators for the same machine, each responsible for a subset of the functions. Then I would send email to account-admin, web-admin, sys-admin, etc, and, again, point these to the appropriate physical person in the aliases file. -- Francois Gouget [EMAIL PROTECTED]http://fgouget.free.fr/ RFC 2549: ftp://ftp.isi.edu/in-notes/rfc2549.txt IP over Avian Carriers with Quality of Service
Re: Snort config
* John Galt <[EMAIL PROTECTED]> [010516 15:24]: > >DEBIAN_SNORT_STATS_RCPT="root" > ^ > Change this just on principle: using root to check system email is just > another thing you can do as a user and not have to be logged in as root so > much... > Why? # vi /etc/aliases root:
Re: Snort config
On Wed, 16 May 2001, Oki DZ wrote: >John Galt wrote: >> Expect changes when woody freezes: the file you reference is >> snort.debian.conf in testing/unstable...snort.conf is a real snort.conf >> (more in line with the upstream...) > >I see. >I've been running on potato (current stable, right?); well, for the >machine that directly connected to the Internet. That creates a lot of >problem. My desktop always use unstable. But I don't think that it'd be >wise to put an unstable machine on the Internet. So that I end up with >different releases. Problem is, sometimes Gnome apps wouldn't be run >remotely (crashed, to be exact; due to the differences in the libs). Make sure to keep up with security.debian.org on the stable box... >> >DEBIAN_SNORT_HOME_NET="192.168.1.x/32" >> >> Mine shows the routable interface's IP here: is this a munge or your NAT? > >The machine runs NAT. >Actually, I want to monitor both NICs. To get the outside interface, you need to tell it your ISP-assigned IP. Probably it'd be a good idea to put in a CIDR including all of your broadcast as well (the number after the slash: I use /24). >> >DEBIAN_SNORT_OPTIONS=" -i eth0" >> >> is eth0 your ISP-connected NIC? > >No, internal. eth1 is the one that connected to outside. Actually, I forgot you can put more than one interface here. Go ahead and prepend eth1 in there: DEBIAN_SNORT_OPTIONS=" -i eth1 eth0" >> >DEBIAN_SNORT_STATS_RCPT="root" >> ^ >> Change this just on principle: using root to check system email is just >> another thing you can do as a user and not have to be logged in as root so >> much... > >Okay. > >BTW, the "stable" and "unstable" release names are pretty misleading >(misinterpreting?), right? I believe that those who happen to read >messages on Debian lists (eg: on the archives) would think that there'd >be Debian systems that are bound to crash daily. I think changing >"unstable" to "development" would be nicer in the eye. Bring it up on -policy or -devel... What can they do, say no and flame you to death? >Oki > > > -- mailto:[EMAIL PROTECTED]>Who is John Galt? Failure is not an option. It comes bundled with your Microsoft product. -- Ferenc Mantfeld
Re: Snort config
John Galt wrote: > Expect changes when woody freezes: the file you reference is > snort.debian.conf in testing/unstable...snort.conf is a real snort.conf > (more in line with the upstream...) I see. I've been running on potato (current stable, right?); well, for the machine that directly connected to the Internet. That creates a lot of problem. My desktop always use unstable. But I don't think that it'd be wise to put an unstable machine on the Internet. So that I end up with different releases. Problem is, sometimes Gnome apps wouldn't be run remotely (crashed, to be exact; due to the differences in the libs). > >DEBIAN_SNORT_HOME_NET="192.168.1.x/32" > > Mine shows the routable interface's IP here: is this a munge or your NAT? The machine runs NAT. Actually, I want to monitor both NICs. > >DEBIAN_SNORT_OPTIONS=" -i eth0" > > is eth0 your ISP-connected NIC? No, internal. eth1 is the one that connected to outside. > >DEBIAN_SNORT_STATS_RCPT="root" > ^ > Change this just on principle: using root to check system email is just > another thing you can do as a user and not have to be logged in as root so > much... Okay. BTW, the "stable" and "unstable" release names are pretty misleading (misinterpreting?), right? I believe that those who happen to read messages on Debian lists (eg: on the archives) would think that there'd be Debian systems that are bound to crash daily. I think changing "unstable" to "development" would be nicer in the eye. Oki
Re: Snort config
On Wed, 16 May 2001, Oki DZ wrote: >Hi, > >I have the following: >[EMAIL PROTECTED]:~$ more /etc/snort/snort.conf ^ Expect changes when woody freezes: the file you reference is snort.debian.conf in testing/unstable...snort.conf is a real snort.conf (more in line with the upstream...) ># This file is used for options that are changed by Debian to leave ># the original lib files untouched. ># You have to use "dpkg-reconfigure snort" to change them. > >DEBIAN_SNORT_STARTUP=boot >DEBIAN_SNORT_HOME_NET="192.168.1.x/32" Mine shows the routable interface's IP here: is this a munge or your NAT? >DEBIAN_SNORT_OPTIONS=" -i eth0" is eth0 your ISP-connected NIC? >DEBIAN_SNORT_STATS_RCPT="root" ^ Change this just on principle: using root to check system email is just another thing you can do as a user and not have to be logged in as root so much... >DEBIAN_SNORT_STATS_TRESHOLD="1" > >How can I set Snort so that it monitors the other IP address (on the NIC >that connected to my ISP)? Executing dpkg-reconfigure snort basically >does nothing (apparently). hmmm... Probably you have the questions threshold too high is my first guess >TIA, >Oki > > > -- mailto:[EMAIL PROTECTED]>Who is John Galt? Failure is not an option. It comes bundled with your Microsoft product. -- Ferenc Mantfeld
