[Snort-users] rules files
Gray . Brendan
bgray2 at ...3738...
Fri Oct 12 06:47:12 EDT 2001
I got my snort running with the Arachnids rules file (dated August 21), and
it seems to be doing ok. I was experimenting with the whitehats rules file,
but it wasn't working for me. I can get snort to run, but it doesn't log to
the alert file. The logging section is the same as with Arachnids, it just
I know the Arachnids default setup uses the following preprocessors:
stream2: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384
http_decode: 80 2301
portscan: $INTERNAL 5 5 portscan
and the Snort rules default setup uses the following:
http_decode: 80 -unicode -cginull
portscan: $HOME_NET 4 3 portscan.log
I do have my variables declared properly for each one<g>. The output
options for both are the same, nothing configured so it should go to the
alert file. It does with the Arachnids conf but not the snort conf.
Strange. I'm wondering if it has to do with the different pre-processor
settings. Does anyone know? I'm running it on a RedHat 7.1 box Pentium
166, 48 megs RAM, 2.4.3 kernel and all the latest updates from RedHat.
After viewing results using the arachnids rules/conf I'd like to try the
snort rules/conf to compare the two. The Snort rules/conf might be more
From: Dr SuSE [mailto:drsuse at ...749...]
Sent: Thursday, October 11, 2001 11:18 PM
To: steve at ...3789...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] rules files
Go with the rules from snort.org. The Arachnids rules havn't been updated
> Which set of rules are 'better' - the ones from the snort website or the
> ones from the arachnids database?
More information about the Snort-users