Snort mailing list archives
Re: newbie questions about snort.conf
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 26 Jul 2002 10:43:52 -0700 (PDT)
On Fri, 26 Jul 2002, Daniel Lopez wrote:
Hello,
Hi!
I'm a newbie with Snort and I guess you will find the following questions are basic.
Ok, since you claim to be a newbie, I'm going to give you a couple of links[0] that will be very useful as you start to work with snort.
I'm performing some tests on Snort with two LANs. I set the HOME_NET and EXTERNAL_NET variables to these values: var HOME_NET 10.50.1.0/24 var EXTERNAL_NET !$HOME_NET However, I would like to detect attacks from boths subnets. Do you know if I will be able to detect attacks from both sides (from inside and outside my home network) with these values or should I set them to ANY?
Yes. But this will be prone to a high rate of false postives.
Then, because I am using small LANS for tests, I don't have any SMTP, HTTP and SQL servers. Thus, do I have to set the other variables to ANY (HTTP_SERVERS, SQL_SERVERS,...) or do I have to comment them? (however, if I comment them, I will have problems with rules, isn't it?)
You could set them to any, but again, the false postives would be very high. If you're just worried about testing, you might want to set them to $HOME_NET and try working with it.
Last question [sorry! :( ], I downloaded last version 1.8.7 and the snort rulesets. My question is how do I update rules?
Carefully. :)
Can I do it manually by copying them to the default Snort directory or only by changing the RULE_PATH variable, or do I have to use a script such as Oinkmaster?
Ok, you'll get a lot of different answers on this, but... It doesn't matter how you update them. Do whatever works for you. I've got my own 'wierd reasons' for doing some things the way I do, but that's me. :) Most basic way: Get the new rules, untar them in a temp dir and then diff the temp dir vs. the RULE_PATH dir. You might need to change things, you might not. :)
Thanks in advance for all your help and sorry for all these basic questions...
No problems! Enjoy the world of Snort! ;-) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net [0] http://www.snort.org/docs/faq.html http://www.snort.org/docs/writing_rules/ http://marc.theaimsgroup.com/?l=snort-users&r=1&w=2 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- newbie questions about snort.conf Daniel Lopez (Jul 26)
- Re: newbie questions about snort.conf twig les (Jul 26)
- RE: newbie questions about snort.conf Daniel Lopez (Jul 26)
- Re: newbie questions about snort.conf Erek Adams (Jul 26)
- Re: newbie questions about snort.conf twig les (Jul 26)