Newbie Notes and Question on Rule Creation

["Mark Olbert" <mark () arcabama com>]

Thanx to everyone who's been answering my ignorant questions about snort
these last few days. I think I've finally figured out the basics of how to
get snort and barnyard to play together. In fact, I'm wondering if there
would be some value in me writing up my notes as kind of a "newbie's notes
on snort"? I'd be happy to take a crack at that, just let me know who/where
to send it to.

Regarding creating rules, I would like to use snort to log every packet
hitting the external interface on my multi-homed firewall/router. I don't
plan on doing this long-term, but having just been hacked (through a
firewall, I might add), I thought it would be educational to see just how
much crap is hitting my firewall.

However, I'd like to avoid logging packets that are coming back at me as a
result of a request from one of my private LAN clients (e.g., someone
browsing the web on a client machine). From reading the snort pdf, I think
the way to do this is to build two rules, one that uses flow to drop any
packet hitting the external interface that results from a client request
(i.e., to_client | from_client), followed by one that logs everything
remaining.

Is that the way to go? If not, what would work?

Thanx in advance for any help or advice!

- Mark

mark () arcabama com