[Snort-users] newbie questions about snort.conf

Daniel Lopez dlopez at ...6134...
Fri Jul 26 09:54:02 EDT 2002


Yop! :) Thanks for your answer!

> -----Original Message-----
> From: twig les [mailto:twigles at ...131...]
> Sent: Friday, July 26, 2002 7:49 PM
> To: Daniel Lopez; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] newbie questions about snort.conf
> 
> 
> 1. To detect internal and external attacks make
> EXTERNAL_NET = any.
> 
> 2. Yes, you will have problems with rules if you
> comment out the SQL...variables.  Even if you get it
> to work by pruning all of those rules all you've
> accomplished is missing those attacks against you
> (futile as they are).  Plus you never know when
> someone is running Visio, therefore may be vulnerable
> to the latest microshaft exploit.  Better to make
> these variables = HOME_NET or any.
> 
> 3. Yes, cp the new rules to the snort directory where
> you have the current rules, overwriting the current
> rules in the process.  I don't use oinkmaster (yet),
> rather a 5 or 6 line script that uses wget to grab new
> rules each day and replace the old ones.
> 
> 
> --- Daniel Lopez <dlopez at ...6134...> wrote:
> > Hello,
> > 
> > I'm a newbie with Snort and I guess you will find
> > the following
> > questions are basic.
> > I'm performing some tests on Snort with two LANs. I
> > set the HOME_NET and
> > EXTERNAL_NET variables to these values:
> > 
> > var HOME_NET 10.50.1.0/24
> > var EXTERNAL_NET !$HOME_NET
> > 
> > However, I would like to detect attacks from boths
> > subnets. Do you know
> > if I will be able to detect attacks from both sides
> > (from inside and
> > outside my home network) with these values or should
> > I set them to ANY?
> > 
> > Then, because I am using small LANS for tests, I
> > don't have any SMTP,
> > HTTP and SQL servers.
> > Thus, do I have to set the other variables to ANY
> > (HTTP_SERVERS,
> > SQL_SERVERS,...) or do I have to comment them?
> > (however, if I comment
> > them, I will have problems with rules, isn't it?)
> > 
> > Last question [sorry! :( ], I downloaded last
> > version 1.8.7 and the
> > snort rulesets.
> > My question is how do I update rules?
> > Can I do it manually by copying them to the default
> > Snort directory or
> > only by changing the RULE_PATH variable, or do I
> > have to use a script
> > such as Oinkmaster?
> > 
> > Thanks in advance for all your help and sorry for
> > all these basic
> > questions...
> > 
> > Daniel Lopez
> > 
> > 
> > 
> >
> -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> =====
> -----------------------------------------------------------
> All warfare is based on deception.
> -----------------------------------------------------------
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
> 




More information about the Snort-users mailing list