[Snort-users] arachnids ids updater script
Kevin Brown usedcomputersales.net
isp at ...7826...
Sun Dec 22 06:08:04 EST 2002
So I am using smoothwall firewall 1.0, but with serious virus.rules ids lacking
So I went to whitehats.com and got their arachnids updater.40.tar.gz, and ran it on
my linux box. I then used scp to the smoothwall and overwrote the old virus.rules.
My question is this:
Does the ids take into consideration any internal-external ip addresses?
I think automation is great and want to write rules myself, but how does my ids look
from outside using a generic set of rules?
hewre is an example:
alert TCP $EXTERNAL any -> $INTERNAL 1080 (msg: "IDS481/misc_socks-
overflow-x86linux"; flags: A+; content: "|eb29 5e 897630 89f0 83c008 894634|";)
this is ids 481 that says, any tcp packet from external to internal ( meaning my dhcp
cable modem to my internal 192.168.X.X nic, on port 1080 with content of blah send
Does snort know that internal and external nics by name and ip ??
More information about the Snort-users