Snort mailing list archives
Newbie Notes and Question on Rule Creation
From: "Mark Olbert" <mark () arcabama com>
Date: Mon, 23 Feb 2004 12:48:42 -0800
Thanx to everyone who's been answering my ignorant questions about snort these last few days. I think I've finally figured out the basics of how to get snort and barnyard to play together. In fact, I'm wondering if there would be some value in me writing up my notes as kind of a "newbie's notes on snort"? I'd be happy to take a crack at that, just let me know who/where to send it to. Regarding creating rules, I would like to use snort to log every packet hitting the external interface on my multi-homed firewall/router. I don't plan on doing this long-term, but having just been hacked (through a firewall, I might add), I thought it would be educational to see just how much crap is hitting my firewall. However, I'd like to avoid logging packets that are coming back at me as a result of a request from one of my private LAN clients (e.g., someone browsing the web on a client machine). From reading the snort pdf, I think the way to do this is to build two rules, one that uses flow to drop any packet hitting the external interface that results from a client request (i.e., to_client | from_client), followed by one that logs everything remaining. Is that the way to go? If not, what would work? Thanx in advance for any help or advice! - Mark mark () arcabama com
Current thread:
- Newbie Notes and Question on Rule Creation Mark Olbert (Feb 23)