[Snort-users] Snort-IDS-HOWTO

Daniel Harrison danielh at ...690...
Thu Oct 26 14:38:50 EDT 2000


In the September 2000 issue of sysadmin there is an article covering the
installation of snort. I just started to read it so I don't know if it
covers everything or not.

dan


"Gene R. Gomez" wrote:

>  Hey folks,Has anyone attempted to write a HOWTO for the LDP on a
> snort implementation?  I've been tinkering with snort for a short
> while now (around 2 weeks), but my work would have been much easier if
> a HOWTO had existed when I started.Once again, I'm not an expert by
> any means, but if no one here is already working on this, I'd be
> willing to draft up a preliminary HOWTO that someone else (with far
> more experience than I) could edit for security/accuracy.Essentially,
> to give you an idea, my snort implementation (and the one I'd put
> together in the HOWTO) uses three rulesets:1.    vision.rules2.
> 10102k.rules3.    home.rules (this is just a "home team advantage"
> ruleset that defines services that would be normal on other networks,
> but don't exist in my own)It uses the snort-update script
> (slightly-modified) to check for new vision.rules sets every hour and
> automaticly update, and send a report containing updates, snort.alert,
> and portscan.log (if any of these reports are valid) via SMTP.The idea
> is that if dev.whitehats.com is down, wget will retrieve a bad copy of
> vision.rules, and wipe the existing, good one out.  In that case, the
> most recent "official" snort ruleset is still in effect.  Preference
> is given to vision.rules because it's hoped that a dynamicly updated
> listing will be more thorough than the static one that has to be
> updated manually from snort.org.Is this something that anyone else is
> working on?  If not, is there any chance I could interest an
> experienced snort user to proof-read my (most likely flawed) HOWTO
> when I'm done?  Or is it something the community as a whole would like
> to review?-Gene







More information about the Snort-users mailing list