good security sniffers

[BurntAsh]

anyone have any suggestions that i can use to watch login attempts, port probes, dos, etc.

im currently trying to get snort to work but i am having trouble understanding how i can get it to report to me, i did snort -v andi t just scrolled ips and ips and i had no idea how to read any of it and such. can anyone help?

[tolstoy]

Config snort to log to a mysql database, then use ACID to read your logs --> http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html

Right now I'm guessing you have snort configured to output to the consol, which is realistically of no use. Even if you have snort output in its normal, default loggin method, it's still very difficult and cumbersome to read.

Snort is probably the #1 sniffer/NIDS out there (commercial and noncommercial), but it does take some getting used to and is not very friendly to the NIDS newbie. You might want to get more familiar with it by reading the docs at snort.org, or by picking up a book (more than a few have been published in the past few months, all of which are very good). The major problem with snort in the past has been the lack of thorough documentation, but the new proliferation of books has help ammend that some.

Unfortunately, if you want something easier to use, and a more complete package (meaning integrated rules management, log viewers, GUI configs), you will have to buy something like ISS. But that will cost you big bucks and still will not be as good as Snort.

If you need any help with snort just post back. I'll do my best to help you out.

[Guitarlynn]

tcpdump and etheral can work real well if you actually need to see all the traffic. For what you want, syslog and /etc/services will likely do with a little common sense (assuming your firewall logs what you want it to).

[Kernel_Killer]

Snort, MySQL, and ACID is a good solution, but if you can get it running Sguil for Snort seems quite interesting.

[gmoreno]

Linux Journal has an article(Aug '03) on different sniffers.