[Snort-users] newbie questions about snort.conf

twig les twigles at ...131...
Fri Jul 26 09:50:03 EDT 2002


1. To detect internal and external attacks make
EXTERNAL_NET = any.

2. Yes, you will have problems with rules if you
comment out the SQL...variables.  Even if you get it
to work by pruning all of those rules all you've
accomplished is missing those attacks against you
(futile as they are).  Plus you never know when
someone is running Visio, therefore may be vulnerable
to the latest microshaft exploit.  Better to make
these variables = HOME_NET or any.

3. Yes, cp the new rules to the snort directory where
you have the current rules, overwriting the current
rules in the process.  I don't use oinkmaster (yet),
rather a 5 or 6 line script that uses wget to grab new
rules each day and replace the old ones.


--- Daniel Lopez <dlopez at ...6134...> wrote:
> Hello,
> 
> I'm a newbie with Snort and I guess you will find
> the following
> questions are basic.
> I'm performing some tests on Snort with two LANs. I
> set the HOME_NET and
> EXTERNAL_NET variables to these values:
> 
> var HOME_NET 10.50.1.0/24
> var EXTERNAL_NET !$HOME_NET
> 
> However, I would like to detect attacks from boths
> subnets. Do you know
> if I will be able to detect attacks from both sides
> (from inside and
> outside my home network) with these values or should
> I set them to ANY?
> 
> Then, because I am using small LANS for tests, I
> don't have any SMTP,
> HTTP and SQL servers.
> Thus, do I have to set the other variables to ANY
> (HTTP_SERVERS,
> SQL_SERVERS,...) or do I have to comment them?
> (however, if I comment
> them, I will have problems with rules, isn't it?)
> 
> Last question [sorry! :( ], I downloaded last
> version 1.8.7 and the
> snort rulesets.
> My question is how do I update rules?
> Can I do it manually by copying them to the default
> Snort directory or
> only by changing the RULE_PATH variable, or do I
> have to use a script
> such as Oinkmaster?
> 
> Thanks in advance for all your help and sorry for
> all these basic
> questions...
> 
> Daniel Lopez
> 
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




More information about the Snort-users mailing list