[Snort-users] snort.conf vs vision.conf

Max Vision vision at ...4...
Sun Apr 22 07:27:20 EDT 2001


On Sun, 22 Apr 2001, dotslash wrote:
> if i use vision.conf (coz i'm using vision.rules -- so kinda make it
> uniform) will i be missing something that snort.conf (and it's rules) uses?
> i tend to like the vision files as i can look up the IDS number and see what
> it means.
>
The two information sources are extremely different.  The signatures that
are bundled with Snort are a compilation taken from numerous sources,
originally a verbatim copy of my list of about 500 signature made in 1999
(called vision.conf before arachNIDS existed) only with the credits
stripped, but then later added to and maintained, and more recently
maintained via CVS as part of snort.  In contrast, the modern
vision.conf/vision.rules are exports from the ongoing arachNIDS database
project, which is not a list of signatures, but an archive of intrusion
event information that is descriptive and detailed enough that IDS
signatures can be created from the data dynamically and exported.  The
database currently supports Snort and Pakemon, though it could (and will)
output signatures for use in other free and commercial IDS systems.  You
can use whatever works best for you, but if you are concerned about having
access to as many rules as are available, hang on just a little longer...

> i know i could merge them but i still feel quesy about the idea.  for one
> thing, why is it that there's a preprocessor for http-decode 80 8080 in
> snort.conf and in vision.conf it's only for 80?
>
The http-decode preprocessor is used to normalize traffic that will be
analyzed by the signatures.  Most http signatures watch for traffic to
port 80, and several to port 2301 for compaq management.  You should add
all ports that you have http-related signatures for to the parameter list
of http-decode.  So, although 8080 doesn't belong by default, I should add
port 2301.

Max





More information about the Snort-users mailing list