[Snort-users] RE: var HOME_NET and rule updates
Noller2G at ...4290...
Fri Jul 26 07:40:11 EDT 2002
> Message: 13
> From: "Daniel Lopez" <dlopez at ...6134...>
> To: <snort-users at lists.sourceforge.net>
> Date: Fri, 26 Jul 2002 16:31:59 +0300
> Subject: [Snort-users] newbie questions about snort.conf
> I'm a newbie with Snort and I guess you will find the following
> questions are basic.
> I'm performing some tests on Snort with two LANs. I set the
> HOME_NET and
> EXTERNAL_NET variables to these values:
> var HOME_NET 10.50.1.0/24
> var EXTERNAL_NET !$HOME_NET
===>Just set your var's to any to capture all threats in both directions.
var HOME_NET any
var EXTERNAL_NET any
> However, I would like to detect attacks from boths subnets.
> Do you know
> if I will be able to detect attacks from both sides (from inside and
> outside my home network) with these values or should I set
> them to ANY?
> Then, because I am using small LANS for tests, I don't have any SMTP,
> HTTP and SQL servers.
> Thus, do I have to set the other variables to ANY (HTTP_SERVERS,
> SQL_SERVERS,...) or do I have to comment them? (however, if I comment
> them, I will have problems with rules, isn't it?)
Just leave them as they are, default. They will work fine.
> Last question [sorry! :( ], I downloaded last version 1.8.7 and the
> snort rulesets.
> My question is how do I update rules?
By hand. The hard way.
Once you start customizing the rules to work for you, it gets real hard to
update the rules.
I used to do it by hand, no I use Demarc Puresecure (a commercial product)
and it updates rules automagically.
I'm sure there are scripts, freeware products, and favorite ways. I just
don't have the time.
More information about the Snort-users