[Snort-users] Newbie - Rules updates, multiple interfaces, etc.
Mark G. Spencer
mspencer at ...9488...
Sun May 9 11:42:02 EDT 2004
I've been away from Snort for a while and just got back into it yesterday.
I'm running Snort on two machines, one Win98 and another WinXP Professional.
The command I run (from the USAGE document) is:
Snort -d -h (IP Address)/24 -l (Path to Log Folder) -c (Path to snort.conf)
This works pretty good - I came in this morning and had almost 150 alerts on
one of the Snort machines.
I'm curious about some things:
1.) Is there a way to automate rules updates?
2.) On Win98/2K/XP, can I configure Snort to run on two interfaces, logging
to separate log folders? Or run two instances of Snort, one for each
interface? My thought here is having one interface outside the firewall and
3.) I'm not much of a database person and have had difficulty with MySQL in
the past. For those of you running Snort that are not all that great with
databases, how do you recommend collecting and reviewing the Snort output?
4.) I asked this when I first tried Snort - how can I enable *all* Snort
rules? I got an answer (or answers) back that you wouldn't want to do this,
you should tune your rules for the platforms Snort is running in front of.
This doesn't make sense to me from a security perspective - who's to say
through an intrusion, other IT guys, or the curious guy in engineering that
new services will appear on your network you hadn't planned on? If you have
the processing power, wouldn't you want Snort utilizing the full ruleset?
Thanks in advance for suffering through the newbie questions!
More information about the Snort-users