Depending on your interests and needs you may also wish to enable or tune some

Depending on your interests and needs, you may also wish to enable or tune some of the Snort preprocessors that are designed to respond to various threats. IP defragmentation and TCP stream reassembly are enabled by default, to detect denial of service attacks and to support the other preprocessors. If you are being subjected to anti-NIDS attacks such as noise generators that attempt to overwhelm Snort with a flood of alert-inducing traffic, use: # snort -z est ... 1 1

to limit alerts to known, established connections only. Several preprocessors are available to defeat attempts to escape detection during attacks on specific protocols. These often take the form of path name or instruction sequence mutations, and the preprocessors work to convert the input streams into a canonical form that can be more readily recognized by the pattern matching rules. Port scans are noticed by preprocessors that watch a range of protocols over time. Finally, a variety of output plugins can direct alerts to databases, XML files, SNMP traps, a local Unix socket, or even WinPopup messages on Windows workstations, using Samba. Many of these features are experimental, or require special configuration options when Snort is installed; consult the documentation in the source distribution for details. Whenever you modify the Snort configuration or add or customize rules, use the -T option to verify that your changes are correct. This will prevent Snort from dying unexpectedly when it next restarts, e.g., at boot time. 9.26.4 See Also snort(8). The Snort home page is . The Honeynet project's web site, , contains a wealth of information about network monitoring, including Snort. See for a sample Snort configuration file. [ Team LiB ] 2 2

[ Team LiB ] Recipe 9.27 Directing System Messages to Log Files (syslog) 9.27.1 Problem You want to configure the system logger to use an organized collection of log files. 9.27.2 Solution Set up /etc/syslog.conf for local logging: /etc/syslog.conf: "docText">After you modify /etc/syslog.conf , you must send a signal to force syslogd to reread it and apply your changes. Any of these will do: # kill -HUP `pidof syslogd` or: # kill -HUP `cat /var/run/syslogd.pid` or: # /etc/init.d/syslog reload or: # service syslog reload Red Hat 9.27.3 Discussion When your kernel needs to tell you something important, will you notice? If you are investigating a potential break-in last night, will you have all of the information you need? Staying informed requires careful configuration and use of the system logger. The system logger collects messages from programs and even from the kernel. These messages are tagged with a facility that identifies the broad category of the source, e.g., mail , kern (for kernel messages), or authpriv (for security and authorization messages). In addition, a priority specifies the importance (or severity) of each message. The lowest priorities are (in ascending order) debug , info , and notice ; the highest priority is emerg , which is used when your disk drive is on fire. The complete set of facilities and priorities are