[Snort-users] Help with Snort setup

Harper, Patrick patrick.harper at ...11593...
Tue Sep 14 12:14:08 EDT 2004

I have to agree with you on a lot of what you said, but... the setup
guides have helped a lot of people transition over to Linux for security
products.  Some people like this guy seem to have no business running
snort or being responsible for security (at least from what I have seen
from his posts, he may be the brightest guy in the world and just be
having a really really bad week) but others who can read directions and
understand basics benefit from them.  I am a little biased seeing as I
wrote one of them and have seen a lot of people learn more about
security and Linux in general from playing with them.  They just needed
a little help in the beginning, but these people had the will and desire
to learn.  They find Infosec interesting, they stay on mailing lists
like this and try to help people learn and get better at there jobs.
The people that expect the regulars to be a 24/7 tech support with
platinum level support response time are just unrealistic.  I have and
will continue to help as many people as I can learn more about security,
as long as those people take the time to understand what they are doing
and can follow directions when they are doing for the first time and
don't have a clue.  I will also hopefully continue to learn from people
on this list how to better do my job (seeing as a major part of it is
working with IDS)
-----Original Message-----
From: sekure [mailto:sekure at ...11827...] 
Sent: Tuesday, September 14, 2004 10:01 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Help with Snort setup

Is it just me or is the list getting more and more emails of the
content: "I don't know Unix, or Windows, or networking, but I want to
setup Snort, please help me."?

Pardon the stupid question, but even if after enlisting the help of
everyone on the list you do manage to somehow get Snort up and running,
what purpose can it possibly serve?  All of the alerts generated are
fairly complex and require at least some understanding of the underlying
OS and networking technology to analyze them, not to mention separate
false positives from the rest of the traffic, tune the rules, follow up
on alerts, etc. This is why I feel that the step by step guides are
almost a disservice, they make Snort accessible to people who don't know
what to do with it. And even the guides themselves generate a load of

I almost feel like there should be a variaton on the amusement park
sign: "You must know this much to run Snort"...

IDS is not a set it and forget it solution, and not a magic bullet. 
Just "setting up Snort" will not make you magically more secure.  So
unless you are willing to dedicate serious time to it, don't even
bother.  And if you are, search the archives, read the FAQ, search the
archives, learn how to build from scratch, did I mention search the
archives?  Reading the rules to the Snort-Users Drinking Game wouldn't
hurt either, you'll know the questions NOT to ask.

I digress....

This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. 

More information about the Snort-users mailing list