[Snort-users] RE: var HOME_NET and rule updates

Noller, Gregory Noller2G at ...4290...
Fri Jul 26 07:40:11 EDT 2002


--__--__--
> 
> Message: 13
> From: "Daniel Lopez" <dlopez at ...6134...>
> To: <snort-users at lists.sourceforge.net>
> Date: Fri, 26 Jul 2002 16:31:59 +0300
> Subject: [Snort-users] newbie questions about snort.conf
> 
> Hello,
> 
> I'm a newbie with Snort and I guess you will find the following
> questions are basic.
> I'm performing some tests on Snort with two LANs. I set the 
> HOME_NET and
> EXTERNAL_NET variables to these values:
> 
> var HOME_NET 10.50.1.0/24
> var EXTERNAL_NET !$HOME_NET


===>Just set your var's to any to capture all threats in both directions.
var HOME_NET any
var EXTERNAL_NET any


> 
> However, I would like to detect attacks from boths subnets. 
> Do you know
> if I will be able to detect attacks from both sides (from inside and
> outside my home network) with these values or should I set 
> them to ANY?
> 
> Then, because I am using small LANS for tests, I don't have any SMTP,
> HTTP and SQL servers.
> Thus, do I have to set the other variables to ANY (HTTP_SERVERS,
> SQL_SERVERS,...) or do I have to comment them? (however, if I comment
> them, I will have problems with rules, isn't it?)

Just leave them as they are, default.  They will work fine.

> 
> Last question [sorry! :( ], I downloaded last version 1.8.7 and the
> snort rulesets.
> My question is how do I update rules?

By hand.  The hard way.

Once you start customizing the rules to work for you, it gets real hard to
update the rules.
I used to do it by hand, no I use Demarc Puresecure (a commercial product)
and it updates rules automagically.
 
I'm sure there are scripts, freeware products, and favorite ways.  I just
don't have the time.



Greg
Wichita





More information about the Snort-users mailing list