[Snort-users] What rules file

Joe McAlerney joey at ...155...
Fri Oct 6 12:52:07 EDT 2000


Hi Steve,

This question pops up every once in a while.  There is not really any
one answer either.  You should initially be asking yourself, "What do I
want to look for on my network?"  Then, sift through a rule set and
remove (or pass on) rules that don't fit your needs, or customize them
to make them work for your network.  

The snort.org rule set incorporates in the rules from vision.conf.  I am
not sure how often this is.  The rules in vision.conf have IDS numbers
that can be used as keys to search on in the arachNIDS database at
whitehats.com for more information.  Lots of good stuff in there.

I believe posted rules make their way into snort.org's rule set in one
way or another.

-Joe M.


Steve Brown wrote:
> 
> Hi
> 
> I am new to snort , but have it running and it works well.
> However there is one thing I am little confused about and have been unable
> to track down any documenatation on it.There has been amount of discussion
> on it as well .Should I be using the snort.org rules or it should it be a
> combination of snort.org, vision.conf, and rules posted to the newsgroup ?
> Any indications on what others are using would be appreciated.
> 
> Thanks
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users



More information about the Snort-users mailing list