[Snort-users] Snort-IDS-HOWTO

Karl Lovink karl at ...500...
Sat Oct 28 02:52:35 EDT 2000


Gene,

I have to make a installation and configuration document for snort maybe we
can make the HOWTO together.

Let me know if you are interested.

Cheers and beers
Karl
  -----Oorspronkelijk bericht-----
  Van: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]Namens Gene R. Gomez
  Verzonden: donderdag 26 oktober 2000 19:33
  Aan: 'snort-users at lists.sourceforge.net'
  Onderwerp: [Snort-users] Snort-IDS-HOWTO


  Hey folks,
  Has anyone attempted to write a HOWTO for the LDP on a snort
implementation?  I've been tinkering with snort for a short while now
(around 2 weeks), but my work would have been much easier if a HOWTO had
existed when I started.
  Once again, I'm not an expert by any means, but if no one here is already
working on this, I'd be willing to draft up a preliminary HOWTO that someone
else (with far more experience than I) could edit for security/accuracy.
  Essentially, to give you an idea, my snort implementation (and the one I'd
put together in the HOWTO) uses three rulesets:
  1.    vision.rules
  2.    10102k.rules
  3.    home.rules (this is just a "home team advantage" ruleset that
defines services that would be normal on other networks, but don't exist in
my own)
  It uses the snort-update script (slightly-modified) to check for new
vision.rules sets every hour and automaticly update, and send a report
containing updates, snort.alert, and portscan.log (if any of these reports
are valid) via SMTP.
  The idea is that if dev.whitehats.com is down, wget will retrieve a bad
copy of vision.rules, and wipe the existing, good one out.  In that case,
the most recent "official" snort ruleset is still in effect.  Preference is
given to vision.rules because it's hoped that a dynamicly updated listing
will be more thorough than the static one that has to be updated manually
from snort.org.
  Is this something that anyone else is working on?  If not, is there any
chance I could interest an experienced snort user to proof-read my (most
likely flawed) HOWTO when I'm done?  Or is it something the community as a
whole would like to review?

  -Gene
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001028/10a69377/attachment.html>


More information about the Snort-users mailing list