Snort mailing list archives
RE: Snort rules
From: "Chris Vaughan" <chrisv () parkavebank com>
Date: Tue, 8 Feb 2005 15:28:59 -0500
The truthful answer is this: the rules are set up to meet the needs of *most* users. If the rule doesn't fit your needs, then make a modified copy of it and stick it in your local.rules file. Don't expect snort to completely match your needs right out of the box. Most of us have spent weeks/months setting up custom rules, thresholds, and the like to make snort work in our environments. Chris Vaughan -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of sEc nErD Sent: Tuesday, February 08, 2005 3:17 PM To: Snort Users Postings Subject: RE: [Snort-users] Snort rules I ahve a question for security admins here. Our client performed an internal port scan using super scan on their internal network.When i say internal network i mean private network LAN. Our snort sensor didnt catch any of it the whole port scan and aftre doing some diggging i saw the scan.rules file and saw that it is checking all inbound port scans like $external any-->$Home Network Now the client is questioning us as to why this should not be checked both ways..he is saying if it is somebody in their network doing a port scan it will go unnoticed. can anybody answer this? thanks _____ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do <http://us.rd.yahoo.com/evt=29915/*http://info.mail.yahoo.com/mail_250> more. Manage less.
Current thread:
- RE: Snort rules Hugo (Feb 08)
- RE: Snort rules sEc nErD (Feb 08)
- RE: Snort rules Matt Kettler (Feb 08)
- mysql not logging alerts sEc nErD (Feb 08)
- Re: mysql not logging alerts James Riden (Feb 08)
- RE: Snort rules Matt Kettler (Feb 08)
- RE: Snort rules sEc nErD (Feb 08)
- <Possible follow-ups>
- RE: Snort rules Chris Vaughan (Feb 08)