[Snort-users] Help with Snort setup
sekure at ...11827...
Tue Sep 14 08:02:02 EDT 2004
Is it just me or is the list getting more and more emails of the
content: "I don't know Unix, or Windows, or networking, but I want to
setup Snort, please help me."?
Pardon the stupid question, but even if after enlisting the help of
everyone on the list you do manage to somehow get Snort up and
running, what purpose can it possibly serve? All of the alerts
generated are fairly complex and require at least some understanding
of the underlying OS and networking technology to analyze them, not to
mention separate false positives from the rest of the traffic, tune
the rules, follow up on alerts, etc. This is why I feel that the step
by step guides are almost a disservice, they make Snort accessible to
people who don't know what to do with it. And even the guides
themselves generate a load of questions.
I almost feel like there should be a variaton on the amusement park
sign: "You must know this much to run Snort"...
IDS is not a set it and forget it solution, and not a magic bullet.
Just "setting up Snort" will not make you magically more secure. So
unless you are willing to dedicate serious time to it, don't even
bother. And if you are, search the archives, read the FAQ, search the
archives, learn how to build from scratch, did I mention search the
archives? Reading the rules to the Snort-Users Drinking Game wouldn't
hurt either, you'll know the questions NOT to ask.
More information about the Snort-users