[Snort-users] Two Snort-related questions:

tom porter tporter at ...2894...
Tue Feb 12 21:17:01 EST 2002

I've been lurking on this list for awhile, & I have yet to see answers
to these two questions:
Maybe they are in the faq but I haven't found them.

1. I've been running snort/demarc on a bunch of different FreeBSD boxes
for awhile. And I'm using the fukk default ruleset. Easy question - In
order for snort to work I have to unpack all of the rules into
/usr/local/share/snort. Is this directory definable somewhere? You'd
think it would be in snort.conf - but I don't see where to put it there.

2. Harder - I have several boxes in several dmz's. If I put a snort box
(configured as above w/ full rules)in one of these zones & let it
capture for awhile - then, compare it to the log output of a bsd box
running w/ the log_in_vain options set - the results are dissimilar.
Specifically, the snort sensor does not pick up subseven scans (pretty
frequent). Is this a problem w/ my ruleset?

Thanks, Tom

