[Snort-users] Snort rules

Chris Vaughan chrisv at ...12963...
Tue Feb 8 12:29:53 EST 2005


The truthful answer is this: the rules are set up to meet the needs of *most* users. If the rule doesn't fit your needs, then make a modified copy of it and stick it in your local.rules file.
 
Don't expect snort to completely match your needs right out of the box. Most of us have spent weeks/months setting up custom rules, thresholds, and the like to make snort work in our environments.  
 
Chris Vaughan
 
-----Original Message-----
From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...3204...ts.sourceforge.net]On Behalf Of sEc nErD
Sent: Tuesday, February 08, 2005 3:17 PM
To: Snort Users Postings
Subject: RE: [Snort-users] Snort rules
 
I ahve a question for security admins here.
Our client performed an internal port scan using super scan on their internal network.When i say internal network i mean private network LAN.
Our snort sensor didnt catch any of it the whole port scan and aftre doing some diggging i saw the scan.rules file and saw that it is checking all inbound 
port scans like $external any-->$Home Network 
Now the client is questioning us as to why this should not be checked both ways..he is saying if it is somebody in their network doing a port scan it will go unnoticed.
can anybody answer this?
thanks
  _____  

Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do <http://us.rd.yahoo.com/evt=29915/*http://info.mail.yahoo.com/mail_250>  more. Manage less.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050208/1f7b133c/attachment.html>


More information about the Snort-users mailing list