[Snort-users] arachnids ids updater script

Kevin Brown usedcomputersales.net isp at ...7826...
Sun Dec 22 06:08:04 EST 2002


So I am using smoothwall firewall 1.0, but with serious virus.rules ids lacking
So I went to whitehats.com and got their arachnids updater.40.tar.gz, and ran it on 
my linux box. I then used scp to the smoothwall and overwrote the old virus.rules.
My question is this:
Does the ids take into consideration any internal-external ip addresses?
I think automation is great and want to write rules myself, but how does my ids look 
from outside using a generic set of rules?
hewre is an example:
alert TCP $EXTERNAL any -> $INTERNAL 1080 (msg: "IDS481/misc_socks-
overflow-x86linux"; flags: A+; content: "|eb29 5e 897630 89f0 83c008 894634|";)
this is ids 481 that says, any tcp packet from external to internal ( meaning my dhcp 
cable modem to my internal 192.168.X.X nic, on port 1080 with content of blah send 
alert.
Does snort know that internal and external nics by name and ip ??
keivn brown





More information about the Snort-users mailing list