[Snort-users] Snort-IDS-HOWTO

Gene R. Gomez ggomez at ...677...
Thu Oct 26 13:33:24 EDT 2000


Hey folks,
Has anyone attempted to write a HOWTO for the LDP on a snort implementation?
I've been tinkering with snort for a short while now (around 2 weeks), but
my work would have been much easier if a HOWTO had existed when I started.
Once again, I'm not an expert by any means, but if no one here is already
working on this, I'd be willing to draft up a preliminary HOWTO that someone
else (with far more experience than I) could edit for security/accuracy.
Essentially, to give you an idea, my snort implementation (and the one I'd
put together in the HOWTO) uses three rulesets:
1.    vision.rules
2.    10102k.rules
3.    home.rules (this is just a "home team advantage" ruleset that defines
services that would be normal on other networks, but don't exist in my own)
It uses the snort-update script (slightly-modified) to check for new
vision.rules sets every hour and automaticly update, and send a report
containing updates, snort.alert, and portscan.log (if any of these reports
are valid) via SMTP.
The idea is that if dev.whitehats.com is down, wget will retrieve a bad copy
of vision.rules, and wipe the existing, good one out.  In that case, the
most recent "official" snort ruleset is still in effect.  Preference is
given to vision.rules because it's hoped that a dynamicly updated listing
will be more thorough than the static one that has to be updated manually
from snort.org.
Is this something that anyone else is working on?  If not, is there any
chance I could interest an experienced snort user to proof-read my (most
likely flawed) HOWTO when I'm done?  Or is it something the community as a
whole would like to review?
 
-Gene
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001026/4a526de7/attachment.html>


More information about the Snort-users mailing list