Snort mailing list archives
Re: newbie questions about snort.conf
From: twig les <twigles () yahoo com>
Date: Fri, 26 Jul 2002 09:49:18 -0700 (PDT)
1. To detect internal and external attacks make EXTERNAL_NET = any. 2. Yes, you will have problems with rules if you comment out the SQL...variables. Even if you get it to work by pruning all of those rules all you've accomplished is missing those attacks against you (futile as they are). Plus you never know when someone is running Visio, therefore may be vulnerable to the latest microshaft exploit. Better to make these variables = HOME_NET or any. 3. Yes, cp the new rules to the snort directory where you have the current rules, overwriting the current rules in the process. I don't use oinkmaster (yet), rather a 5 or 6 line script that uses wget to grab new rules each day and replace the old ones. --- Daniel Lopez <dlopez () tct hut fi> wrote:
Hello, I'm a newbie with Snort and I guess you will find the following questions are basic. I'm performing some tests on Snort with two LANs. I set the HOME_NET and EXTERNAL_NET variables to these values: var HOME_NET 10.50.1.0/24 var EXTERNAL_NET !$HOME_NET However, I would like to detect attacks from boths subnets. Do you know if I will be able to detect attacks from both sides (from inside and outside my home network) with these values or should I set them to ANY? Then, because I am using small LANS for tests, I don't have any SMTP, HTTP and SQL servers. Thus, do I have to set the other variables to ANY (HTTP_SERVERS, SQL_SERVERS,...) or do I have to comment them? (however, if I comment them, I will have problems with rules, isn't it?) Last question [sorry! :( ], I downloaded last version 1.8.7 and the snort rulesets. My question is how do I update rules? Can I do it manually by copying them to the default Snort directory or only by changing the RULE_PATH variable, or do I have to use a script such as Oinkmaster? Thanks in advance for all your help and sorry for all these basic questions... Daniel Lopez
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- newbie questions about snort.conf Daniel Lopez (Jul 26)
- Re: newbie questions about snort.conf twig les (Jul 26)
- RE: newbie questions about snort.conf Daniel Lopez (Jul 26)
- Re: newbie questions about snort.conf Erek Adams (Jul 26)
- Re: newbie questions about snort.conf twig les (Jul 26)