Re: newbie questions about snort.conf

[Erek Adams <erek () theadamsfamily net>]

On Fri, 26 Jul 2002, Daniel Lopez wrote:

> Hello,

Hi!

> I'm a newbie with Snort and I guess you will find the following
> questions are basic.

Ok, since you claim to be a newbie, I'm going to give you a couple of links[0]
that will be very useful as you start to work with snort.

> I'm performing some tests on Snort with two LANs. I set the HOME_NET and
> EXTERNAL_NET variables to these values:
>
> var HOME_NET 10.50.1.0/24
> var EXTERNAL_NET !$HOME_NET
>
> However, I would like to detect attacks from boths subnets. Do you know
> if I will be able to detect attacks from both sides (from inside and
> outside my home network) with these values or should I set them to ANY?

Yes.  But this will be prone to a high rate of false postives.

> Then, because I am using small LANS for tests, I don't have any SMTP,
> HTTP and SQL servers.
> Thus, do I have to set the other variables to ANY (HTTP_SERVERS,
> SQL_SERVERS,...) or do I have to comment them? (however, if I comment
> them, I will have problems with rules, isn't it?)

You could set them to any, but again, the false postives would be very high.
If you're just worried about testing, you might want to set them to $HOME_NET
and try working with it.

> Last question [sorry! :( ], I downloaded last version 1.8.7 and the
> snort rulesets.
> My question is how do I update rules?

Carefully.  :)

> Can I do it manually by copying them to the default Snort directory or
> only by changing the RULE_PATH variable, or do I have to use a script
> such as Oinkmaster?

Ok, you'll get a lot of different answers on this, but...  It doesn't matter
how you update them.  Do whatever works for you.  I've got my own 'wierd
reasons' for doing some things the way I do, but that's me.  :)

Most basic way:  Get the new rules, untar them in a temp dir and then diff the
temp dir vs. the RULE_PATH dir.  You might need to change things, you might
not.  :)

> Thanks in advance for all your help and sorry for all these basic
> questions...

No problems!  Enjoy the world of Snort! ;-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


[0]     http://www.snort.org/docs/faq.html
        http://www.snort.org/docs/writing_rules/
        http://marc.theaimsgroup.com/?l=snort-users&r=1&w=2



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users