Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort + Demarc

From: Mika Tuunanen <tuumi () sci fi>
Date: Fri, 07 Dec 2001 13:49:13 +0200
At 08:38 5.12.2001 -0600, you wrote:


The default snort.conf is pretty well commented.  The first chapter of
the snort user's manaul gives a pretty good walk through on using
snort for the first time to understand it a bit more.


Where is this 'default snort.conf' ?
When I executed snort to monitor eth0 it asked if I want to download 'default rules' from <dontremember> I allowed it. Then when I went to look through demarc's configure snort.conf it looked like this (own ip's added) 
--
# NOTE:
# This snort.conf file has been automatically generated for you
# in order to quickly bring a new snort/DEMARC sensor online.
# This is BY NO MEANS a list of all options availible to you
# from a properly optimized snort.conf file.
#
# Once your sensor is online, and you are able to control it from
# the DEMARC web interface, please go to http://snort.sourcefire.com/
# to download the sample snort.conf file which you can then customize
# to fit the needs of your network.


var HOME_NET [195.148.73.36,192.168.1.0/24]
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET

preprocessor defrag
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor unidecode: 80
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
preprocessor portscan-ignorehosts: $DNS_SERVERS
output database: log, mysql, user=snort dbname=snort password=snortor host=127.0.0.1 sensor_name=taffy 
--
After this I get a lot of packets sent or received by neighbours (195.148.73.x) into my db.. I tried looking that 'sample snort.conf' from sourcefire but it looks really messed site to find anything.. (Must have learned Microsoft's way of doing web) 

- Mika
(PS. When replying, do send CC: to my address, I'm not currently subscribed to list *Sigh*) 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: