[Snort-users] A few questions
mkettler at ...4108...
Tue Sep 14 17:09:01 EDT 2004
At 05:36 PM 9/14/2004, Newbie wrote:
>I am not on a network, I simply have my PC and router as a home
>configuration. However I get a lot of false negatives where the error
>relates to my router. How can I configure HOME_NET to therefore include
>any IPs that begin with 123.123 etc? Currently it is setup IP/32 what
>would the new one be?
18.104.22.168/16 (contains 22.214.171.124 through 126.96.36.199)
Also for completeness should you need a smaller range at some point:
188.8.131.52/24 (contains 184.108.40.206 through 220.127.116.11)
>Secondly, because I am using a home PC/router, I am not sure the
>flow:to_server is relevant for me. These commands also include major
>anti-trojan rules which dont seem to therefore work for my PC setup. Can
>I simply remove these commands if I am not on a server?
Some of them are relevant.. In this context "server" refers to the system
which answered a TCP connection request, not something running on a
"server" version of windows, etc.
A backdoor installed on your machine could appear as a "server" in this
However, if you aren't running any dns servers, webservers, etc, you can,
and probably should, trim down which .rules files you are using.
>And finally a more simple question, apart from a Snort equivalent with
>some more graphs, what more security features do all these wiz-bang
>systems you pay thousands for actually include?
800 number Technical support contracts, known good hardware, preconfigured,
prehardened, etc. Some have different approaches to processing packets
with various advantages and drawbacks, but at a high-level view they are
On some level it's a bit like asking what the difference between a linux
box with a good IPTables config and a couple of Nics and a Cisco PIX is.
Both serve the same functions, but you can spend a lot of time setting up
the linux box to get it right.
Also having a support contract where they can request a replacement unit
with 24-hour delivery is reassuring in a business environment where
downtime costs, although this is more relevant to routers/firewalls than IDS's.
More information about the Snort-users