[Snort-users] rules files

Gray . Brendan bgray2 at ...3738...
Fri Oct 12 06:47:12 EDT 2001

I got my snort running with the Arachnids rules file (dated August 21), and
it seems to be doing ok.  I was experimenting with the whitehats rules file,
but it wasn't working for me.  I can get snort to run, but it doesn't log to
the alert file.  The logging section is the same as with Arachnids, it just
won't work.  

I know the Arachnids default setup uses the following preprocessors:

stream2: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384
http_decode: 80 2301
rpc_decode: 111
bo: -nobrute
portscan: $INTERNAL 5 5 portscan

and the Snort rules default setup uses the following:

stream4: detect_scans
stream4: reassemble
http_decode: 80 -unicode -cginull
rpc_decode: 111
bo: -nobrute
portscan: $HOME_NET 4 3 portscan.log

I do have my variables declared properly for each one<g>.  The output
options for both are the same, nothing configured so it should go to the
alert file.  It does with the Arachnids conf but not the snort conf.
Strange.  I'm wondering if it has to do with the different pre-processor
settings.  Does anyone know?  I'm running it on a RedHat 7.1 box Pentium
166, 48 megs RAM, 2.4.3 kernel and all the latest updates from RedHat.

After viewing results using the arachnids rules/conf I'd like to try the
snort rules/conf to compare the two.  The Snort rules/conf might be more

Brendan Gray

-----Original Message-----
From: Dr SuSE [mailto:drsuse at ...749...]
Sent: Thursday, October 11, 2001 11:18 PM
To: steve at ...3789...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] rules files

Go with the rules from snort.org.  The Arachnids rules havn't been updated
several months.

> Which set of rules are 'better' - the ones from the snort website or the
> ones from the arachnids database?

More information about the Snort-users mailing list