Snort mailing list archives
arachnids ids updater script
From: "Kevin Brown "usedcomputersales.net"" <isp () dotgonepc com>
Date: Sat, 21 Dec 2002 23:08:12 -0800
So I am using smoothwall firewall 1.0, but with serious virus.rules ids lacking So I went to whitehats.com and got their arachnids updater.40.tar.gz, and ran it on my linux box. I then used scp to the smoothwall and overwrote the old virus.rules. My question is this: Does the ids take into consideration any internal-external ip addresses? I think automation is great and want to write rules myself, but how does my ids look from outside using a generic set of rules? hewre is an example: alert TCP $EXTERNAL any -> $INTERNAL 1080 (msg: "IDS481/misc_socks- overflow-x86linux"; flags: A+; content: "|eb29 5e 897630 89f0 83c008 894634|";) this is ids 481 that says, any tcp packet from external to internal ( meaning my dhcp cable modem to my internal 192.168.X.X nic, on port 1080 with content of blah send alert. Does snort know that internal and external nics by name and ip ?? keivn brown ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- arachnids ids updater script Kevin Brown (Dec 22)