Re: SNORT

[Erek Adams <erek () theadamsfamily net>]

On Tue, 14 Aug 2001, Mel Chandler PMI wrote:

> I'm new to Linux and SNORT and was wondering if I could get some tips
> and/or help.

:)  Welcome to our little corner of packet-land.

> I have installed SNORT v1.8 rpm on Red Hat 7.1, when it
> complained about missing a file, which I believe was the rules file, I
> just supplied it with a blank file.  I'm not sure if there are some sort
> of rules I need to download or if it updates them itself.

Err...  I'm not much of a Linux fan, but I'm _really_ hoping that it did come
with some rules of some sort.  If not, you can go to:

http://snort.sourceforge.net/snortrules.tar.gz
http://www.whitehats.com/ids/vision18.rules.gz

And pick what you want. :)

> I've been seeing a lot of activity (80-90% ARP Broadcasts), but so far
> SNORT reports no activity.  Is there a way to test it and ensure it is
> working ok.

I'm going to guess you are on a DSL line.  :)  If so, you're seeing quite a
bit of CodeRed backscatter.  It's looking for folks in the same segments so it
causes a _lot_ of ARPage.  *bleh*

> Also, is there some where I show get updated rules from?  I
> kept clicking on links on the website for rules, but came to the download
> page and couldn't find anything.  Any help would be great.

Grab them from those two links, and you should be ready!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users