Snort mailing list archives
Newbie - Rules updates, multiple interfaces, etc.
From: "Mark G. Spencer" <mspencer () evidentdata com>
Date: Sun, 9 May 2004 11:41:22 -0700
Hello all, I've been away from Snort for a while and just got back into it yesterday. I'm running Snort on two machines, one Win98 and another WinXP Professional. The command I run (from the USAGE document) is: Snort -d -h (IP Address)/24 -l (Path to Log Folder) -c (Path to snort.conf) This works pretty good - I came in this morning and had almost 150 alerts on one of the Snort machines. I'm curious about some things: 1.) Is there a way to automate rules updates? 2.) On Win98/2K/XP, can I configure Snort to run on two interfaces, logging to separate log folders? Or run two instances of Snort, one for each interface? My thought here is having one interface outside the firewall and one inside. 3.) I'm not much of a database person and have had difficulty with MySQL in the past. For those of you running Snort that are not all that great with databases, how do you recommend collecting and reviewing the Snort output? 4.) I asked this when I first tried Snort - how can I enable *all* Snort rules? I got an answer (or answers) back that you wouldn't want to do this, you should tune your rules for the platforms Snort is running in front of. This doesn't make sense to me from a security perspective - who's to say through an intrusion, other IT guys, or the curious guy in engineering that new services will appear on your network you hadn't planned on? If you have the processing power, wouldn't you want Snort utilizing the full ruleset? Thanks in advance for suffering through the newbie questions! Mark ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie - Rules updates, multiple interfaces, etc. Mark G. Spencer (May 09)
- <Possible follow-ups>
- Re: Newbie - Rules updates, multiple interfaces, etc. Richard Bejtlich (May 10)