[Snort-users] A few questions

Matt Kettler mkettler at ...4108...
Tue Sep 14 17:09:01 EDT 2004

At 05:36 PM 9/14/2004, Newbie wrote:
>I am not on a network, I simply have my PC and router as a home 
>configuration. However I get a lot of false negatives where the error 
>relates to my router. How can I configure HOME_NET to therefore include 
>any IPs that begin with 123.123 etc? Currently it is setup IP/32 – what 
>would the new one be?
   (contains through

Also for completeness should you need a smaller range at some point:
   (contains through

>Secondly, because I am using a home PC/router, I am not sure the 
>flow:to_server is relevant for me. These commands also include major 
>anti-trojan rules which don’t seem to therefore work for my PC setup. Can 
>I simply remove these commands if I am not on a server?

Some of them are relevant.. In this context "server" refers to the system 
which answered a TCP connection request, not something running on a 
"server" version of windows, etc.

A backdoor installed on your machine could appear as a "server" in this 

However, if you aren't running any dns servers, webservers, etc, you can, 
and probably should, trim down which .rules files you are using.

>And finally – a more simple question, apart from a Snort equivalent with 
>some more graphs, what more security features do all these wiz-bang 
>systems you pay thousands for actually include?

800 number Technical support contracts, known good hardware, preconfigured, 
prehardened, etc.  Some have different approaches to processing packets 
with various advantages and drawbacks, but at a high-level view they are 
quite similar.

On some level it's a bit like asking what the difference between a linux 
box with a good IPTables config and a couple of Nics and a Cisco PIX is. 
Both serve the same functions, but you can spend a lot of time setting up 
the linux box to get it right.

Also having a support contract where they can request a replacement unit 
with 24-hour delivery is reassuring in a business environment where 
downtime costs, although this is more relevant to routers/firewalls than IDS's.

More information about the Snort-users mailing list